How To Use AWS Security Hub To Automate Best Practices

Posted by Ben Potter on Saturday, December 26, 2020


AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. It automates the checking of security best practices in your AWS environment. It is the central place to look for AWS security alerts and findings as it prioritizes them from many AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager. AWS Security Hub continuously monitors your environment using automated security checks based on AWS best practices and industry standards that your organization follows.

AWS Security Hub

How AWS Security Hub Works

When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products and services. Partner products can also send findings to Security Hub. Security Hub also generates its own findings by running continuous, automated security checks based on AWS best practices and supported industry standards. It then correlates and consolidates findings across providers to help you to prioritize the most significant findings.

You can also create insights in Security Hub. An insight is a collection of findings that are grouped together when you apply a group by filter. Insights help you identify common security issues that may require remediation action, like an S3 bucket that allows public access. Security Hub includes several managed insights, or you can create your own custom insights. It only detects findings from the point in time that you enabled it, it does not go back in time. Also, it must be enabled in every region you use. I highly recommend you block the use of unused regions by using an Organizations Service Control Policy (SCP) as that will prevent the entire account from accidentally using other regions.

Enable AWS Security Hub

Before enabling and configuring Security Hub, you will need to enable and configure AWS Config in each region you use. Security Hub has a 30 day free trial, and it can predict the cost of running during your trial. The easiest way to enable Security Hub is to go to the Security Hub Console to configure it - the options you see depends if your account is stand-alone or part of an AWS Organization. A Well-Architected best practice, even if you have a single account for testing purposes, is to use Organizations. If your account is part of an AWS Organization already and you want to enable security hub, do so in the Organizational management account. You should then see a prompt assigning a delegated administrator prompt in the console:

AWS Security Hub assign delegated administrator

You might need to enable Security Hub at the organization level in your chosen region first by clicking Enable:

AWS Security Hub enable for organization

Once you have enabled Security Hub you can click Security standards and see that AWS Foundational Security Best Practices and CIS AWS Foundations Benchmark are enabled by default. The foundational security best practices aligh to the Well-Architected security best practices.

AWS Security Hub security standards

That’s about all you need to do to enable Security Hub, however you should dive into the results. Click on View Results:

AWS Security Hub foundational best practices overview

Then you can see all the recommendations that are tailored to you in your chosen region. This account I’m using for the screen shots is new, not used, and I have not secured it as you can see:

AWS Security Hub all findings

Take Action on Findings

Now you will most likely have recommendations to improve the security of your AWS environment, you should take action to resolve them! Security Hub will automatically give you the most critical findings first, so that’s where you should start. I recommend you take a risk based approach to prioritizing the remediations, you might not have time to resolve them all at once however you can put low priority ones on a backlog. Critical findings, like a publicly open S3 bucket, you should aim to resolve them as soon as possible.

If you click on a finding it will display a description in the side pane, e.g. I have clicked on the finding Ensure hardware MFA is enabled for the “root” account and can see:

AWS Security Hub root account finding

Then if you scroll down you will see further information including Types and Related Findings, Resources, and Remediation.

AWS Security Hub remediation description

In this finding the remediation is a link to the CIS section of the Security Hub guide with step by step instructions on how to remediation:

AWS Security Hub root mfa remediation steps

Once you have performed the remediation actions Security Hub will automatically mark the finding as resolved and the status will then be passed with a nice green tick.

Further Reading

AWS Security Hub User Guide
AWS Security Hub pricing
Nine AWS Security Hub best practices
AWS Well-Architected - Detection