🎉 We are launching a new weekly show: Hot off the Cloud

🎉 We are launching a new weekly show

How I use AWS Security Hub

Michael Wittig – 28 Apr 2021

AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Security Hub integrates with other AWS services such as GuardDuty, Inspector, and many more. In this blog post, I show you how I use Security Hub to improve the security of my AWS accounts.

How I use AWS Security Hub

To get started with Security Hub, I recommend enabling at least one security standard.

Complying with security standards

I prefer the AWS Foundational Security Best Practices security standard. It covers many areas and services. I recommend starting with a single security standard to not overwhelm yourself with findings. Once you reach a score in the heights of 80%, think twice if you really need to enable another security standard or not.

Dealing with false positives

Any security tool will generate false positives. Security Hub provides two ways to deal with false positives.

You can disable a control entirely. I usually disable [IAM.6] Hardware MFA should be enabled for the root user because it doesn’t make much sense in an AWS Organizations setup. Learn more about disabling a control.


Looking for a new challenge?

  • tecRacer

    Cloud Consultant • AWS Migrations

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Assessment Transformation Change Management
  • DEMICON

    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote
    AWS JavaScript/TypeScript Angular React

You can suppress a finding. Sometimes, you need an S3 bucket to be public. The control ][S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2) will flag that bucket as insecure. You can whitelist the finding by setting the workflow status to suppressed.

How I use Security Hub

tag
In the following video, I demo how I use Security Hub. I also share two pitfalls with you:

  • Security Score in orgs
  • IAM Unknown error

Integration with other AWS services

AWS Security Hub integrates with a bunch of other AWS services. You can forward all the findings from those services to Security Hub for a centralized view.

The following services are supported:

  • Amazon Inspector
  • Amazon GuardDuty
  • IAM Access Analyzer
  • AWS Systems Manager Patch Manager
  • AWS Firewall Manager
  • Amazon Macie

I recommend enabling integrations one after another. Nothing is more frustrating than a million findings that no one resolves! Think twice before using one of those services. They only provide value if you have the capacity to resolve the findings.

Become a cloudonaut supporter

Michael Wittig

Michael Wittig ( Email, Twitter, or LinkedIn )

We launched the cloudonaut blog in 2015. Since then, we have published 360 articles, 49 podcast episodes, and 48 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

$
Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, Jaap-Jan Frans, Jason Yorty, Jeff Finley, Jens Gehring, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Juraj Martinka, Kamil Oboril, Ken Snyder, Markus Ellers, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Shawn Tolidano, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.