Profile Applicability:

Level 2

Description:

AWS Security Hub is a security management service that aggregates, analyzes, and prioritizes security findings from AWS services and supported third-party tools. It provides a centralized view of security posture across multiple AWS accounts and regions, enabling organizations to detect security risks and enforce compliance standards.

When Security Hub is enabled, it begins collecting security data from:

  • AWS services such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie.

  • Third-party security tools integrated into AWS.

  • Industry security benchmarks such as CIS AWS Foundations Benchmark and PCI DSS compliance checks.

Rationale:

Enabling AWS Security Hub provides:

  • Real-time security insights across AWS accounts and services.

  • Automated compliance checks against industry security standards.

  • Centralized security visibility for detecting and responding to threats.

It is recommended to enable Security Hub in all AWS regions to ensure full coverage of security monitoring and compliance tracking.

Impact:

  • Security Hub requires AWS Config to be enabled, which may incur additional costs.

  • Enabling Security Hub in all AWS regions may generate alerts that require investigation.

  • AWS Security Hub pricing is based on usage (findings ingested per account per region).

Default Value:

  • AWS Security Hub is disabled by default.

  • Users must manually enable Security Hub in each AWS region where security monitoring is required.

Pre-Requisites:

  1. AWS CLI Installed (for command-line verification and remediation).

  2. IAM Permissions Required:

    • securityhub:DescribeHub (for Test plan).

    • securityhub:EnableSecurityHub (for implementation).

  3. AWS Config must be enabled to use AWS Security Hub.

  4. Review AWS Security Hub pricing before enabling it across multiple regions.

Remediation:

Test Plan:

Using AWS Console

  1. Login to the AWS Management Console.

  2. Open the AWS Security Hub console: AWS Security Hub Console.

  3. On the top-right, select the target AWS region.

  4. Check if the Security Hub Summary page is displayed:

    • ✅ If yes, Security Hub is enabled.

    • ❌ If "Setup Security Hub" or "Get Started With Security Hub" appears, Security Hub is not enabled.

  5. Repeat for all AWS regions in use.

Implementation Steps:
Using AWS Console

  1. Login to the AWS Management Console.

  2. Open the AWS Security Hub console: AWS Security Hub Console.



  3. Click Go to Security Hub.

  4. On the welcome page, under Security Standards, check the box to enable security standards such as:

    • CIS AWS Foundations Benchmark

    • AWS Foundational Security Best Practices

    • PCI DSS Compliance (if required)



  5. Click Enable Security Hub.

  6. Repeat for all AWS regions where Security Hub needs to be enabled.

Backout Plan:

If enabling AWS Security Hub causes issues:

  1. Disable Security Hub:

    aws securityhub disable-security-hub --region <region-name>

  2. Verify Security Hub is disabled:

    aws securityhub describe-hub --region <region-name>

  • Expected Output: Error message indicating Security Hub is not subscribed.

  1. Ensure AWS Config settings are retained if used by other security services.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

7.1

Establish and maintain a vulnerability management process.

CIS v7

11.3

Use automated tools to verify standard device configurations.