AWS Security Hub is an Open Security Hub Service page that collects the data from the various AWS services and identifies security issues and provides us a comprehensive view of all the issues with cause and remediation.
It helps us to keep our AWS services and applications deployed on AWS more secure., and follow industry-standard security practices.
Why Do We Need It?
Security Hub provides us with a lot of things easy, below are the primary things:
- Automated Security Checks: It will help us to automate the security checks across the account, it will analyze our entities in an account and provide us a comprehensive view of security issues, and their remediations.
- Consolidated view: The security hub provides us with a consolidated view of the findings, through which we can prioritize and address those issues.
- Automate Remediation of Findings: The security hub provides us the possibility to integrate with event bridge so that, we can automate remediations, or we can even use this feature to send the details to some kind of ticket management system, or just for notifying about the specific issue. To know the difference between Security group and NACL refer to the Amazon Web Services – Security Group vs NACL
Setup Security Hub
You can set up a security hub for your account using three methods:
- AWS CLI
- AWS Web Console
- AWS Multi-Account Setup (Script)
Method 1: AWS Console
To set up a security hub for your account using AWS Console, you can follow the below steps. To know how to create an AWS account refer to Amazon Web Services (AWS) – Free Tier Account Set up.
- Login to AWS Account
- Open the Security Hub Service page.
- Go to Security Hub
- Choose Security Standards
- Enable Security Hub
Step 1: Open the Security Hub Service page.
After opening the security hub home page, click on “Go to Security Hub”
Step 2: Configure Security Hub Options.
Choose Security standards based on which security checks will be performed, and then click on “Enable Security Hub”
Step 3: View Findings.
After enabling the security hub, it may take some time for Security Hub to collect and analyze data before presenting findings and then you can view issues in the Findings Tab.
Method 2: AWS CLI
You can use AWS-provided security hub cli API to enable it, run the below command to set up the security hub with default standards.
aws securityhub enable-security-hub -
-enable-default-standards --tags
'{"enabledBy": "DilLip"}'- enable-security-hub is a sub command of security hub service cli API, which will grant all the required permission for the security hub service to gather security issues, from various services.
- enable-default-standards will enable the security hub with default security standards.
- tags will add the tags to the created resource.
Method 3: AWS Multi-Account Setup
You can also use the below script provided by AWS Labs to enable a security hub across multiple accounts, follow the below steps to do so.
- Install Python (if not exists already)
sudo apt-get install python3.9 python3.9-pip
- Install boto3 and aws cli (if not installed already”)
python3 -m pip install boto3
- Clone the repo. This command clones the AWS Security Hub Multi-Account Scripts from GitHub.
git clone https://github.com/awslabs /aws-securityhub-multiaccount-scripts.git
- Change the current directory to the script directory
cd aws-securityhub-multiaccount-scripts/multiaccount-enable
- run the script using the below command
python3 enablesecurityhub.py --master_account <Account Id>--assume_role <Service role name> input_file
- master_account: the account ID of the management account from which you will manage all the account’s security findings.
- assume_role: The role name with which the management account and the accounts mentioned in input_file will assume and call the required APIs by assuming this role.
- The role must be created in all accounts, including the management account, with the policy and trusted policy shown below.
Role Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"securityhub.amazonaws.com",
"config.amazonaws.com"
]
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "securityhub:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:DescribeConfigurationRecorderStatus",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:StartConfigurationRecorder"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/config.amazonaws.
com/AWSServiceRoleForConfig",
"Effect": "Allow"
},
{
"Action": [
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::config-bucket-*",
"Effect": "Allow"
}
]
}Trusted Policy:
{
"Version": "2012-10-17T00:00:00.000Z",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<MasterAccountId>"
},
"Action": [
"sts:AssumeRole"
]
}
]
}- input_file: The CSV file path, which contains the list of accounts details with Account Id, email Address format
You can automate all the above things using the cloud formation script in EnableSecurityHub.yaml file.After configuring the required things and running the script, your accounts will be enabled with a security hub to track security issues and report them in the console dashboard.
Conclusion
Setting up AWS Security Hub can help you improve your organization’s security posture and compliance status. By following the steps outlined above, you can enable Security Hub for your AWS accounts and start using it to identify and address potential security risks.
FAQs On AWS Security Hub
1. What Is The Difference Between Security Hub and GuardDuty?
Security Hub will gives you overview of security posture. Guard-duty gives will identifies any incoming threats.
2. Is AWS Security Hub a SIEM Tool?
No AWS security Hub is not an SIEM, tool but it will analyse the data which is incoming