SlideShare a Scribd company logo

AWS Security Hub Deep Dive

N
Nagesh Ramamoorthy

A deep dive session on AWS Security Hub service which is the single most important service in AWS to know the security and compliance posture across AWS accounts.

Related slideshows

AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...
AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...
AWS Transit Gateway를 통한 Multi-VPC 아키텍처 패턴 - 강동환 솔루션즈 아키텍트, AWS :: AWS Summit ...
 
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC20...
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
1 of 26
AWS Security Hub Deep Dive Nagesh Ramamoorthy 15-04-2020 1
Agenda Part1 • Security Hub Overview • Multi-Account Structure • Access And Privileges • Findings • Insights • Integrations Part2 • CIS Compliance • Service Linked Config Rules • Findings – status, overall status , severity • Security Score • Pricing
4/15/2020 3 Part 1 : General features
Definition AWS security Hub provides a comprehensive view of security posture across the AWS accounts and checks the compliance status against industry standards like CIS , PCI DSS 15-04-2020 4
Core Features Receive the security findings input from various security services of AWS account(s) Receive and/or send security findings from third party providers Check for compliance of industry standard controls like CIS benchmark and PCI DSS and generate security findings if required Tight Integration with CloudWatch and CloudTrail native services for Alerting and Logging 15-04-2020 5
Overview • Generally available since June 2019 • AWS Security Hub is a regional service. • Available in 19 regions • There is a free trial of 90 days for Security Hub • Security Hub is SOC, ISO, PCI, and HIPAA certified • Security Hub is integrated with cloudTrail and cloudwatch. • When we enable security hub in a given region, it automatically starts reading the findings from the AWS services and optionally we can enable industry standards like CIS and PCI DSS • Security Hub is a multi-tenant service offering. To ensure data protection, Security Hub encrypts data at rest and data in transit between component services 15-04-2020 6
Added accounts are member accounts. With the master account, you can view findings in member accounts Multi-Account structure Master Account Member Account Member Account If your invitations are accepted by a member account , your account is designated as the Security Hub master account Master Account Member Account 15-04-2020 7
Multi-Account Structure • Adding a member account is a three step process • Add an account from the master account • Invite the added account from Master • Accept the invite from member account • When the invited account accepts the invitation, permission is granted to the master account to view the findings from the member account. • The master account can also perform actions on findings in a member account. • An account cannot be both a Security Hub master account and a member account at the same time. An account can accept only one membership invitation • If your account is the master account, you can't accept an invitation to become a member account. • We can monitor findings from multiple member accounts in a region, but can't view the findings across regions in an account 15-04-2020 8
Access and Privileges • By default accessible only to account owners • IAM users can be given with two levels of access using the below managed IAM policies: AWSSecurityHubFullAccess – Provides access to all Security Hub functionality AWSSecurityHubReadOnlyAccess – Provides read-only access to Security Hub • Security Hub creates a service linked role called "AWSServiceRoleForSecurityHub" that needs access to below actions: o Detect and aggregate findings from AWS services , Macie, Inspector, Guard duty etc o Configure requisite AWS config rules to check compliance against industry standard CIS benchmarks • The AWSServiceRoleForSecurityHub service-linked role is automatically created when you enable Security Hub for the first time or enable Security Hub in a supported Region where you previously didn't have it enabled For the Security Hub Users For the Security Hub service 15-04-2020 9
Findings • The findings tab lists all the findings from all the sources. Findings tab supports Group by and Filter attributes. • By default status filter has been set to "Active" . • Findings Record state can be changed from "Active" to "Archived" 15-04-2020 10
Findings Format Each security finding follows a defined Json format as below which includes detailed information about the finding, so that there is no format conversion required to transfer the data between tools "Findings": [ { "AwsAccountId": "string", "Compliance": { "Status": "string", "RelatedRequirements": ["string"] }, "Confidence": number, "CreatedAt": "string", "Criticality": number ….............. 15-04-2020 11
Insights • Insights are a group of findings which can be created by "Group by" filter with optional additional filters. • There are managed Insights by AWS which can't be deleted or edited . We can create custom Insights. • There are 30 managed Insights available today , examples include • AWS resources with the most findings • AWS users with the most suspicious activity 15-04-2020 12
Integrations • The Integrations tab shows the list of current integrations to AWS security Hub. • It first shows the AWS services integrations and they followed by the third party integrations. • Each integration has the details like : company name , product name , description , How to enable the integration and current status of the integration. • By default the AWS services are integrated once the AWS service is enabled , but the third party products to be enabled manually. • AWS Services Integrated: AWS Macie, Detective, Gaurd Duty , Inspector, Firewall Manager, IAM Access Analyzer 15-04-2020 13
Third Party Integrations • There are around ~50 third party integrations as per the official documentation. • Each product integration either sends findings to Security hub or receives the findings from the security hub. Eg IBM Qradar does both send and receive the findings. • The integrations tab provides the opportunity to enable or disable the integrations including the default AWS services integrations. • We can do custom integration by programmatically sending findings using the BatchImportFindings API . • Some of third party integrations: CyberArk: Privileged Threat Analytics , Symantec: Cloud Workload Protection, Splunk: Splunk Enterprise, IBM: QRadar SIEM, Forcepoint: Forcepoint NGFW 15-04-2020 14
4/15/2020 15 Part 2 : CIS Compliance
CIS benchmark for AWS Center for Information Security (CIS) is a non-profit organization specialized into Cyber security and produces security standards for various popular software products including AWS. 15-04-2020 16 recommendations : 22 Level 1: 20 ( 4 not scored ) Level 2: 2 ( 1 not scored ) Recommendations: 9 Level 1: 5 Level 2: 4 Recommendations: 14 Level 1 : 9 Level 2: 5 Recommendations : 4 Level 1 : 2 Level 2 : 2 ( 1 not scored) Section 1 : IAM Section 2 : Logging Section 3 : Monitoring Section 4 : Networking Security supports all the 43 scored recommendations ( controls) leaving remaining 6 unscored recommendations CIS_Controls_deta ils
Approach • Security Hub also generates its own findings as the result of running automated and continuous checks against the rules in a set of supported security standards. • To run security checks on your environment's resources, AWS Security Hub either uses steps specified by the standard, or uses specific AWS Config managed rules • For the standards to be functional in Security Hub, before you enable a security standard, you must also enable AWS Config in your Security Hub accounts • If you enable AWS Config in your Security Hub master account, this does not automatically enable AWS Config in the Security Hub member accounts for this master account. 15-04-2020 17
AWS Config Service-Linked Rules • After you enable a security standard, Security Hub automatically creates the AWS Config service-linked rules that it needs to run checks against the enabled controls. • These service-linked rules are specific to Security Hub. It creates these service-linked rules even if other instances of the same rules already exist. • You can enable a security standard even if you already have maximum limit of 150 AWS Config managed rules in your account. • For service-linked rules such as the ones that Security Hub adds for security standards, the limit is 150 rules per account per Region. This is in addition to the 150-rule limit on AWS Config managed rules • When a security standard is disabled , the related AWS Config rules that Security Hub created are removed. • When a specific control in a security standard is disabled , the related AWS Config rules that Security Hub created are removed 15-04-2020 18
Compliance Checks • After you enable a security standard, AWS Security Hub begins to run the checks within 2 hours. • After the initial check, the schedule for each control may be either periodic or change-triggered. • Periodic checks run automatically within 12 hours after the most recent run. You cannot change the periodicity • Change-triggered checks run when the associated resource changes state. Even if the resource does not change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. • In general, Security Hub uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, there must be AWS Config Configuration Item support. 15-04-2020 19
• On the Security standards page, each enabled standard displays a security score, which is between 0% and 100%. • The security score represents the proportion of Passed controls to enabled controls. The score is displayed as a percentage. For example, if 10 controls are enabled for a standard, and 7 of those controls are in a Passed state, then the security score is 70%. Security Score
Finding Severity For security standards findings, the severity is determined based on an assessment on how easy it would be to compromise AWS resources if the issue is detected. Critical The issue must be remediated immediately to avoid it escalating. (For example, an open S3 bucket is considered a critical severity finding.) High The issue must be addressed as a priority. (For example, CloudTrail logging not being enabled is considered a high severity issue) Medium The issue must be addressed but not urgently. (For example, lack of encryption at-rest is considered a medium severity finding) Low The issue does not require action on its own. (For example, discovering EC2 instances without required tags is considered low severity because a lack of tags can lead to a lack of resource visibility) Informational No issue was found. In other words, the status is PASSED. 15-04-2020 21
Finding status Status for each finding for a given control and the over all status for a given control would vary Status for the individual finding: • PASSED • FAILED • WARNING – Indicates that the check was completed, but Security Hub cannot determine whether the resource is in a PASSED or FAILED state • NOT_AVAILABLE – Indicates that the check cannot be completed because there is a server failure, the resource was deleted, or the result of the AWS Config evaluation was NOT_APPLICABLE
Overall Status • Passed – Indicates that all findings in the Security Hub master account and the member accounts for a given control are in a PASSED state. • Failed – Indicates that one or more findings in the Security Hub master account and the member accounts for a given control are in a Failed state • Unknown – Indicates that at least one finding in the Security Hub master account and the member accounts for a given control is in a WARNING or NOT_AVAILABLE state, but no findings are in a FAILED state
Pricing AWS Security Hub is priced along two dimensions. The dimensions are based on the quantity of security checks and the quantity of finding ingestion events. Security Checks: • Security Hub automatically evaluates each control in a supported security standard via rules. • Security checks are charged per number of checks per account per region. • Security Hub customers are not charged separately for any Config rules enabled by Security Hub Finding ingestion events: • AWS Security Hub ingests findings from various AWS services and from partner products. Finding ingestion events include both ingesting new findings and ingesting updates to existing findings. • Finding ingestion events associated with Security Hub's security checks are not charged. • Finding ingestion events are charged per number of events per account per region. 15-04-2020 24
Pricing 4/15/2020 25 Security checks (US East) Pricing First 100,000 checks/account/region/month $0.0010 per check Next 400,000 checks/account/region/month $0.0008 per check Over 500,000 checks/account/region/month $0.0005 per check Finding ingestion events (US East) Pricing Finding ingestion events associated with Security Hub’s security checks free First 10,000 events/account/region/month free Over 10,000 events/account/region/month $0.00003 per event
Pricing Example: Large organization 15-04-2020 26 Pricing dimensions: 2 regions, 20 accounts 500 security checks per account/region/month 10,000 finding ingestion events per account/region/month Monthly charges = 500 * $0.0010 * 2 * 20 (first 100,000 checks/account/region/month) + 10,000 * $0 * 2 * 20 (first 10,000 events/account/region/month) = $20 + $0 = $20 per month Settings -> Usage tab shows the estimated cost per month for the region

More Related Content

AWS Security Hub Deep Dive

  • 1. AWS Security Hub Deep Dive Nagesh Ramamoorthy 15-04-2020 1
  • 2. Agenda Part1 • Security Hub Overview • Multi-Account Structure • Access And Privileges • Findings • Insights • Integrations Part2 • CIS Compliance • Service Linked Config Rules • Findings – status, overall status , severity • Security Score • Pricing
  • 3. 4/15/2020 3 Part 1 : General features
  • 4. Definition AWS security Hub provides a comprehensive view of security posture across the AWS accounts and checks the compliance status against industry standards like CIS , PCI DSS 15-04-2020 4
  • 5. Core Features Receive the security findings input from various security services of AWS account(s) Receive and/or send security findings from third party providers Check for compliance of industry standard controls like CIS benchmark and PCI DSS and generate security findings if required Tight Integration with CloudWatch and CloudTrail native services for Alerting and Logging 15-04-2020 5
  • 6. Overview • Generally available since June 2019 • AWS Security Hub is a regional service. • Available in 19 regions • There is a free trial of 90 days for Security Hub • Security Hub is SOC, ISO, PCI, and HIPAA certified • Security Hub is integrated with cloudTrail and cloudwatch. • When we enable security hub in a given region, it automatically starts reading the findings from the AWS services and optionally we can enable industry standards like CIS and PCI DSS • Security Hub is a multi-tenant service offering. To ensure data protection, Security Hub encrypts data at rest and data in transit between component services 15-04-2020 6
  • 7. Added accounts are member accounts. With the master account, you can view findings in member accounts Multi-Account structure Master Account Member Account Member Account If your invitations are accepted by a member account , your account is designated as the Security Hub master account Master Account Member Account 15-04-2020 7
  • 8. Multi-Account Structure • Adding a member account is a three step process • Add an account from the master account • Invite the added account from Master • Accept the invite from member account • When the invited account accepts the invitation, permission is granted to the master account to view the findings from the member account. • The master account can also perform actions on findings in a member account. • An account cannot be both a Security Hub master account and a member account at the same time. An account can accept only one membership invitation • If your account is the master account, you can't accept an invitation to become a member account. • We can monitor findings from multiple member accounts in a region, but can't view the findings across regions in an account 15-04-2020 8
  • 9. Access and Privileges • By default accessible only to account owners • IAM users can be given with two levels of access using the below managed IAM policies: AWSSecurityHubFullAccess – Provides access to all Security Hub functionality AWSSecurityHubReadOnlyAccess – Provides read-only access to Security Hub • Security Hub creates a service linked role called "AWSServiceRoleForSecurityHub" that needs access to below actions: o Detect and aggregate findings from AWS services , Macie, Inspector, Guard duty etc o Configure requisite AWS config rules to check compliance against industry standard CIS benchmarks • The AWSServiceRoleForSecurityHub service-linked role is automatically created when you enable Security Hub for the first time or enable Security Hub in a supported Region where you previously didn't have it enabled For the Security Hub Users For the Security Hub service 15-04-2020 9
  • 10. Findings • The findings tab lists all the findings from all the sources. Findings tab supports Group by and Filter attributes. • By default status filter has been set to "Active" . • Findings Record state can be changed from "Active" to "Archived" 15-04-2020 10
  • 11. Findings Format Each security finding follows a defined Json format as below which includes detailed information about the finding, so that there is no format conversion required to transfer the data between tools "Findings": [ { "AwsAccountId": "string", "Compliance": { "Status": "string", "RelatedRequirements": ["string"] }, "Confidence": number, "CreatedAt": "string", "Criticality": number ….............. 15-04-2020 11
  • 12. Insights • Insights are a group of findings which can be created by "Group by" filter with optional additional filters. • There are managed Insights by AWS which can't be deleted or edited . We can create custom Insights. • There are 30 managed Insights available today , examples include • AWS resources with the most findings • AWS users with the most suspicious activity 15-04-2020 12
  • 13. Integrations • The Integrations tab shows the list of current integrations to AWS security Hub. • It first shows the AWS services integrations and they followed by the third party integrations. • Each integration has the details like : company name , product name , description , How to enable the integration and current status of the integration. • By default the AWS services are integrated once the AWS service is enabled , but the third party products to be enabled manually. • AWS Services Integrated: AWS Macie, Detective, Gaurd Duty , Inspector, Firewall Manager, IAM Access Analyzer 15-04-2020 13
  • 14. Third Party Integrations • There are around ~50 third party integrations as per the official documentation. • Each product integration either sends findings to Security hub or receives the findings from the security hub. Eg IBM Qradar does both send and receive the findings. • The integrations tab provides the opportunity to enable or disable the integrations including the default AWS services integrations. • We can do custom integration by programmatically sending findings using the BatchImportFindings API . • Some of third party integrations: CyberArk: Privileged Threat Analytics , Symantec: Cloud Workload Protection, Splunk: Splunk Enterprise, IBM: QRadar SIEM, Forcepoint: Forcepoint NGFW 15-04-2020 14
  • 15. 4/15/2020 15 Part 2 : CIS Compliance
  • 16. CIS benchmark for AWS Center for Information Security (CIS) is a non-profit organization specialized into Cyber security and produces security standards for various popular software products including AWS. 15-04-2020 16 recommendations : 22 Level 1: 20 ( 4 not scored ) Level 2: 2 ( 1 not scored ) Recommendations: 9 Level 1: 5 Level 2: 4 Recommendations: 14 Level 1 : 9 Level 2: 5 Recommendations : 4 Level 1 : 2 Level 2 : 2 ( 1 not scored) Section 1 : IAM Section 2 : Logging Section 3 : Monitoring Section 4 : Networking Security supports all the 43 scored recommendations ( controls) leaving remaining 6 unscored recommendations CIS_Controls_deta ils
  • 17. Approach • Security Hub also generates its own findings as the result of running automated and continuous checks against the rules in a set of supported security standards. • To run security checks on your environment's resources, AWS Security Hub either uses steps specified by the standard, or uses specific AWS Config managed rules • For the standards to be functional in Security Hub, before you enable a security standard, you must also enable AWS Config in your Security Hub accounts • If you enable AWS Config in your Security Hub master account, this does not automatically enable AWS Config in the Security Hub member accounts for this master account. 15-04-2020 17
  • 18. AWS Config Service-Linked Rules • After you enable a security standard, Security Hub automatically creates the AWS Config service-linked rules that it needs to run checks against the enabled controls. • These service-linked rules are specific to Security Hub. It creates these service-linked rules even if other instances of the same rules already exist. • You can enable a security standard even if you already have maximum limit of 150 AWS Config managed rules in your account. • For service-linked rules such as the ones that Security Hub adds for security standards, the limit is 150 rules per account per Region. This is in addition to the 150-rule limit on AWS Config managed rules • When a security standard is disabled , the related AWS Config rules that Security Hub created are removed. • When a specific control in a security standard is disabled , the related AWS Config rules that Security Hub created are removed 15-04-2020 18
  • 19. Compliance Checks • After you enable a security standard, AWS Security Hub begins to run the checks within 2 hours. • After the initial check, the schedule for each control may be either periodic or change-triggered. • Periodic checks run automatically within 12 hours after the most recent run. You cannot change the periodicity • Change-triggered checks run when the associated resource changes state. Even if the resource does not change state, the updated at time for change-triggered checks is refreshed every 18 hours. This helps to indicate that the control is still enabled. • In general, Security Hub uses change-triggered rules whenever possible. For a resource to use a change-triggered rule, there must be AWS Config Configuration Item support. 15-04-2020 19
  • 20. • On the Security standards page, each enabled standard displays a security score, which is between 0% and 100%. • The security score represents the proportion of Passed controls to enabled controls. The score is displayed as a percentage. For example, if 10 controls are enabled for a standard, and 7 of those controls are in a Passed state, then the security score is 70%. Security Score
  • 21. Finding Severity For security standards findings, the severity is determined based on an assessment on how easy it would be to compromise AWS resources if the issue is detected. Critical The issue must be remediated immediately to avoid it escalating. (For example, an open S3 bucket is considered a critical severity finding.) High The issue must be addressed as a priority. (For example, CloudTrail logging not being enabled is considered a high severity issue) Medium The issue must be addressed but not urgently. (For example, lack of encryption at-rest is considered a medium severity finding) Low The issue does not require action on its own. (For example, discovering EC2 instances without required tags is considered low severity because a lack of tags can lead to a lack of resource visibility) Informational No issue was found. In other words, the status is PASSED. 15-04-2020 21
  • 22. Finding status Status for each finding for a given control and the over all status for a given control would vary Status for the individual finding: • PASSED • FAILED • WARNING – Indicates that the check was completed, but Security Hub cannot determine whether the resource is in a PASSED or FAILED state • NOT_AVAILABLE – Indicates that the check cannot be completed because there is a server failure, the resource was deleted, or the result of the AWS Config evaluation was NOT_APPLICABLE
  • 23. Overall Status • Passed – Indicates that all findings in the Security Hub master account and the member accounts for a given control are in a PASSED state. • Failed – Indicates that one or more findings in the Security Hub master account and the member accounts for a given control are in a Failed state • Unknown – Indicates that at least one finding in the Security Hub master account and the member accounts for a given control is in a WARNING or NOT_AVAILABLE state, but no findings are in a FAILED state
  • 24. Pricing AWS Security Hub is priced along two dimensions. The dimensions are based on the quantity of security checks and the quantity of finding ingestion events. Security Checks: • Security Hub automatically evaluates each control in a supported security standard via rules. • Security checks are charged per number of checks per account per region. • Security Hub customers are not charged separately for any Config rules enabled by Security Hub Finding ingestion events: • AWS Security Hub ingests findings from various AWS services and from partner products. Finding ingestion events include both ingesting new findings and ingesting updates to existing findings. • Finding ingestion events associated with Security Hub's security checks are not charged. • Finding ingestion events are charged per number of events per account per region. 15-04-2020 24
  • 25. Pricing 4/15/2020 25 Security checks (US East) Pricing First 100,000 checks/account/region/month $0.0010 per check Next 400,000 checks/account/region/month $0.0008 per check Over 500,000 checks/account/region/month $0.0005 per check Finding ingestion events (US East) Pricing Finding ingestion events associated with Security Hub’s security checks free First 10,000 events/account/region/month free Over 10,000 events/account/region/month $0.00003 per event
  • 26. Pricing Example: Large organization 15-04-2020 26 Pricing dimensions: 2 regions, 20 accounts 500 security checks per account/region/month 10,000 finding ingestion events per account/region/month Monthly charges = 500 * $0.0010 * 2 * 20 (first 100,000 checks/account/region/month) + 10,000 * $0 * 2 * 20 (first 10,000 events/account/region/month) = $20 + $0 = $20 per month Settings -> Usage tab shows the estimated cost per month for the region