How I use AWS Security Hub

Michael Wittig – 28 Apr 2021

AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Security Hub integrates with other AWS services such as GuardDuty, Inspector, and many more. In this blog post, I show you how I use Security Hub to improve the security of my AWS accounts.

How I use AWS Security Hub

To get started with Security Hub, I recommend enabling at least one security standard.

Complying with security standards

I prefer the AWS Foundational Security Best Practices security standard. It covers many areas and services. I recommend starting with a single security standard to not overwhelm yourself with findings. Once you reach a score in the heights of 80%, think twice if you really need to enable another security standard or not.

Dealing with false positives

Any security tool will generate false positives. Security Hub provides two ways to deal with false positives.

You can disable a control entirely. I usually disable [IAM.6] Hardware MFA should be enabled for the root user because it doesn’t make much sense in an AWS Organizations setup. Learn more about disabling a control.

You can suppress a finding. Sometimes, you need an S3 bucket to be public. The control ][S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2) will flag that bucket as insecure. You can whitelist the finding by setting the workflow status to suppressed.

How I use Security Hub

In the following video, I demo how I use Security Hub. I also share two pitfalls with you:

  • Security Score in orgs
  • IAM Unknown error

Already a cloudonaut plus subscriber? Watch the full video and join the discussion.

Integration with other AWS services

AWS Security Hub integrates with a bunch of other AWS services. You can forward all the findings from those services to Security Hub for a centralized view.

The following services are supported:

  • Amazon Inspector
  • Amazon GuardDuty
  • IAM Access Analyzer
  • AWS Systems Manager Patch Manager
  • AWS Firewall Manager
  • Amazon Macie

I recommend enabling integrations one after another. Nothing is more frustrating than a million findings that no one resolves! Think twice before using one of those services. They only provide value if you have the capacity to resolve the findings.

Michael Wittig

Michael Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Andreas.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me