How I use AWS Security Hub

Michael Wittig – 28 Apr 2021

AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Security Hub integrates with other AWS services such as GuardDuty, Inspector, and many more. In this blog post, I show you how I use Security Hub to improve the security of my AWS accounts.

How I use AWS Security Hub

To get started with Security Hub, I recommend enabling at least one security standard.

Complying with security standards

I prefer the AWS Foundational Security Best Practices security standard. It covers many areas and services. I recommend starting with a single security standard to not overwhelm yourself with findings. Once you reach a score in the heights of 80%, think twice if you really need to enable another security standard or not.

Dealing with false positives

Any security tool will generate false positives. Security Hub provides two ways to deal with false positives.

You can disable a control entirely. I usually disable [IAM.6] Hardware MFA should be enabled for the root user because it doesn’t make much sense in an AWS Organizations setup. Learn more about disabling a control.

You can suppress a finding. Sometimes, you need an S3 bucket to be public. The control ][S3.2] S3 buckets should prohibit public read access]( will flag that bucket as insecure. You can whitelist the finding by setting the workflow status to suppressed.

How I use Security Hub

In the following video, I demo how I use Security Hub. I also share two pitfalls with you:

  • Security Score in orgs
  • IAM Unknown error

Integration with other AWS services

AWS Security Hub integrates with a bunch of other AWS services. You can forward all the findings from those services to Security Hub for a centralized view.

The following services are supported:

  • Amazon Inspector
  • Amazon GuardDuty
  • IAM Access Analyzer
  • AWS Systems Manager Patch Manager
  • AWS Firewall Manager
  • Amazon Macie

I recommend enabling integrations one after another. Nothing is more frustrating than a million findings that no one resolves! Think twice before using one of those services. They only provide value if you have the capacity to resolve the findings.

Michael Wittig

Michael Wittig

I’ve been building on AWS since 2012 together with my brother Andreas. We are sharing our insights into all things AWS on cloudonaut and have written the book AWS in Action. Besides that, we’re currently working on bucketAV, HyperEnv for GitHub Actions, and marbot.

Here are the contact options for feedback and questions.