?

An Introduction to AWS Security Hub

Learn how AWS Security Hub helps overburdened administrators understand and effectively manage their overall AWS security posture.

It goes without saying that data security is of paramount importance to today’s organizations and that data is likely their most precious asset. Organizations must take great care to ensure that data is available to users and applications that depend on it, while also ensuring that it is NOT available to those who don’t. This may sound simple, but it’s an immense challenge faced daily by IT security professionals everywhere. 

An introduction to AWS Security Hub

Though AWS provides many services that help organizations achieve their security objectives, they found that customers needed additional capabilities to properly secure their environments. Specifically, AWS customers asked for the following:

  • standardized alert formats for security findings and automated investigation across all AWS and non-AWS sources that may be transmitting alerts in many different formats;
  • a way to keeping track of and ensuring adherence to compliance standards;
  • prioritization of alerts with insights to determine which are critical to act upon out of the 1000s being generated across all security toolsets; and
  • finally, a “single pane of glass” to understand their overall security and compliance state across multiple connected AWS accounts.

AWS Security Hub was released to help overburdened administrators understand and effectively manage their overall AWS security posture. 

What is AWS Security Hub?

Put simply, Security Hub is an AWS service that consolidates, organizes and prioritizes security alerts from other enabled AWS services such as GuardDuty, Inspector and Macie, and from AWS Partners like F5, Palo Alto, Trend Micro, Splunk and Sumologic, to name a few. Security Hub provides an organization this “single pane of glass” from which to manage their security and compliance posture across the entire breadth of their infrastructure and to act on security events, automated or otherwise, in a timely fashion.

AWS Security Hub overview
Simple AWS Security Hub overview

Enabling (and disabling) AWS Security Hub is easily done through the AWS Management Console, the AWS CLI or by using Infrastructure-as-Code tools such as Terraform. Prior to enabling Security Hub, please consider the following:

  • Security Hub is a regional resource, thus if your infrastructure is dispersed across multiple regions you will need to enable Security Hub within each region in which you have AWS infrastructure/systems deployed. Automation, anyone?
  • Perhaps the most compelling aspect of enabling Security Hub is the continuous automated compliance checks using the CIS AWS Foundations Benchmark. The CIS AWS Foundations Benchmark consists of 43 best practice checks (such as “Is MFA enabled on the root account?” and “Have access keys been rotated within the last 90 days?”). To allow Security Hub to perform each of the automated compliance checks, AWS Config must be enabled. Ideally, AWS Config would be enabled prior to enabling Security Hub, though that is not required. If AWS Config is enabled after Security Hub, you will see a message within the Security Hub interface saying that it could take up to 12 hours for compliance data to update.
Enabling AWS Security Hub
Enabling AWS Security Hub

The summary page

Once Security Hub is enabled, it’s only another couple clicks in the UI to complete the integration with AWS GuardDuty, Inspector and Macie, and shortly thereafter any security findings, or insights, from these services are ingested into Security Hub. The Security Hub summary page, shown below, is your starting point. It provides an “at a glance” view detailing the top security findings and insights, the AWS service integration status and CIS AWS Foundations compliance. 

AWS Security Hub summary page
AWS Security Hub summary page

An administrator can dive deeper into any insight or status by clicking the blue text within the console.

deeper dive into AWS Security Hub insights and findings
Diving deeper into AWS Security Hub insights and findings

Customizable insights

Within Security Hub, AWS has provided several managed and unchangeable insights to assist in prioritizing identified security findings as quickly as possible. An insight is basically a security event that requires attention and/or intervention. You cannot change the AWS managed insights, but you can create your own insights to customize Security Hub to better track security issues and risks that are specific to your AWS environment.

customizable insights in Security Hub
Security administrators can create their own insights to customize Security Hub

Third party integrations

As stated previously, Security Hub can be integrated with third party products. Once the integration with a third party solution is enabled, security findings from those solutions will be imported into Security Hub. 

Security Hub integration with third party products
AWS Security Hub integration with third party security products

At the time of this writing, Security Hub can be integrated with approximately 30 third party solutions. However, that number is expected to increase as vendors configure their solutions to support Security Hub’s import file format.

One interesting note regarding third party integrations is that integration with AWS Security Hub is not limited to an “import only” model. Security Hub findings and insights can be exported to SIEM products such as Splunk.

Multiple account support 

Security Hub supports the addition of multiple AWS accounts in master/member hierarchy in order to get a complete security and compliance view across an entire organization. When AWS accounts are added to Security Hub, the values shown on the summary page represent security insights and compliance settings throughout the entire organization. 

For example, if two AWS accounts are added to Security Hub, and one account has an AWS CIS Foundations score of 100 and the other a score of 0, a compliance score of 50 will be displayed on the summary page.

Taking action

Finally, Security Hub is not simply a “view only” tool, as it is integrated with CloudWatch Events enabling an organization to act on security alerts. Security Hub automatically sends all findings to CloudWatch Events, thus you can define rules in CloudWatch that send findings to S3 buckets or third party tools. 

Rules can be defined to send emails, send a notification to a Slack channel or paging system and create tickets for the appropriate individual or team(s). Additionally, rules can be created that trigger auto-remediation workflows using Lambda or Step Functions.

How much does AWS Security Hub cost?

AWS Security Hub is not a free service, though it does offer a 30-day free trial to start. The cost is not fixed but depends on the number of compliance checks and security finding ingestion. The 30-day free trial should allow an organization to estimate their Security Hub spend, though costs could increase or decrease as third party solution integrations are enabled/disabled, thus affecting the total number of ingested security findings.

The graphic below shows the Security Hub cost structure for the US East Region. More detailed information regarding the cost of Security Hub, as well as cost examples, can be found on the AWS Security Hub pricing page

Example of AWS Security Hub pricing
Example of AWS Security Hub pricing

Summary

AWS customers wanted a service to help them more easily manage their security and compliance posture, and AWS delivered with Security Hub. Enabled with a few easy clicks (or CLI commands), AWS Security Hub enables organizations to quickly evaluate their overall AWS security and compliance posture via the summary page, as well as perform continuous automated compliance checks using only the CIS AWS Foundations Benchmark. 

More compliance checks are set to be released for Security Hub in the future, but if you require HIPAA or PCI compliance checks, a third party or custom tool will be required. Regardless, I strongly urge you to enable Security Hub as the information gathered by the CIS compliance checks has been extremely valuable to our clients.

Security Hub enables an organization to collect and process security findings across multiple AWS accounts within a given region. Remember that Security Hub is a regional service, so enable Security Hub in any region containing resources that you are interested in securing. Finally, AWS Security Hub provides identification and prioritization of security findings, allowing an organization to investigate and/or remediate the most important issues as quickly as possible.

AWS makes Security Hub virtually risk-free to try, so enable it and enjoy visibility into the security and compliance posture of your AWS environment. We welcome the opportunity to assist you in integrating Security Hub into your environment; we'll provide our team of cloud experts to help review your cloud security posture.  

Reach out to your WWT account team or explore more of our B2B platform to find out how we can help you achieve your goals.