How I use AWS Security Hub
AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Security Hub integrates with other AWS services such as GuardDuty, Inspector, and many more. In this blog post, I show you how I use Security Hub to improve the security of my AWS accounts.
To get started with Security Hub, I recommend enabling at least one security standard.
I prefer the AWS Foundational Security Best Practices security standard. It covers many areas and services. I recommend starting with a single security standard to not overwhelm yourself with findings. Once you reach a score in the heights of 80%, think twice if you really need to enable another security standard or not.
Any security tool will generate false positives. Security Hub provides two ways to deal with false positives.
You can disable a control entirely. I usually disable [IAM.6] Hardware MFA should be enabled for the root user because it doesn’t make much sense in an AWS Organizations setup. Learn more about disabling a control.
Looking for a new challenge?
You can suppress a finding. Sometimes, you need an S3 bucket to be public. The control ][S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2) will flag that bucket as insecure. You can whitelist the finding by setting the workflow status to suppressed.
In the following video, I demo how I use Security Hub. I also share two pitfalls with you:
- Security Score in orgs
- IAM Unknown error
AWS Security Hub integrates with a bunch of other AWS services. You can forward all the findings from those services to Security Hub for a centralized view.
The following services are supported:
- Amazon Inspector
- Amazon GuardDuty
- IAM Access Analyzer
- AWS Systems Manager Patch Manager
- AWS Firewall Manager
- Amazon Macie
I recommend enabling integrations one after another. Nothing is more frustrating than a million findings that no one resolves! Think twice before using one of those services. They only provide value if you have the capacity to resolve the findings.