Profile Applicability

  • Level 2

Description

AWS Security Hub provides a comprehensive view of your security posture across AWS accounts and services. It integrates findings from AWS services and third-party tools, evaluates compliance against security standards, and generates actionable insights. Ensuring Security Hub is enabled and its standard subscriptions are configured helps maintain a secure and compliant environment.

Rationale

  • Enhanced Security: Consolidates security findings and provides actionable insights.

  • Compliance: Evaluates compliance against industry standards such as CIS, PCI DSS, and NIST.

  • Risk Mitigation: Identifies and prioritizes security risks across AWS accounts.

Impact

Pros:

  • Centralized view of security findings across AWS accounts and services.

  • Continuous compliance checks against security standards.

  • Integration with AWS services and third-party tools for comprehensive security management.

Cons:

  • May incur additional costs for findings ingestion and security checks.

  • Requires configuration and management of standard subscriptions.

Default Value

By default, AWS Security Hub is not enabled. It must be explicitly activated in each AWS Region.

Pre-Requisite

IAM Permissions Required:

  • securityhub:EnableSecurityHub

  • securityhub:DescribeHub

  • securityhub:ListEnabledStandards

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Security Hub.

  3. If Security Hub is not enabled, you will see a Get Started page. Follow the prompts to enable it.

  4. Check the Security Standards section to verify which standards are enabled.

Using AWS CLI:

  1. Check if Security Hub is enabled:

    aws securityhub describe-hub

  2. List enabled security standards:

    aws securityhub get-enabled-standards --query "StandardsSubscriptions[*].{StandardsArn:StandardsArn,StandardsStatus:StandardsStatus}"

Implementation Steps:

Using AWS Console:

  1. Enable Security Hub:

    • Navigate to Security Hub in the AWS Management Console.

    • Click Enable Security Hub and follow the prompts.

  2. Enable Security Standards:

    • Go to the Security Standards section.

    • Select the desired standards (e.g., CIS AWS Foundations Benchmark, PCI DSS, NIST).

    • Enable the standards to start compliance checks.

Using AWS CLI:

  1. Enable Security Hub:

    aws securityhub enable-security-hub

  2. Enable a specific security standard:

    aws securityhub batch-enable-standards --standards-subscription-requests StandardsArn=<standard-arn>

  3. Verify the enabled standards:

    aws securityhub get-enabled-standards

Backout Plan

Using AWS Console:

  1. If enabling Security Hub or configuring standard subscriptions causes issues, sign in to the AWS Management Console.
    Navigate to Security Hub, go to the Standards section, and disable any problematic standard subscriptions.

  2. If needed, disable Security Hub by going to Security Hub Settings and clicking Disable Security Hub.

Using AWS CLI:

  1. To disable a standard subscription:

    aws securityhub batch-disable-standards --standards-subscription-requests "StandardsArn=<STANDARD_ARN>" --region <REGION>

  2. To disable Security Hub:

    aws securityhub disable-security-hub --region <REGION>

References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.