What is Security Hub?
As a solution, AWS launched its integrated security tool called AWS Security Hub (in 2018), which can provide a comprehensive view of your security state in your AWS environments. This would help customers to check your infrastructure compliance with the security industry standards and best practices.
It basically collects security data from three AWS security services (AWS GuardDuty, AWS Inspector, AWS Macie) and 30+ third-party partner products. This process helps you analyze your security trends and identify the highest priority security issues.
Security Hub — Benefits
1. Reduces the effort to collect and prioritize security findings across accounts
2. Automatically runs continuous, account level configuration and compliance checks based on industry standards such as CIS benchmarking [2]. [Centre for Internet Security, https://www.cisecurity.org/cis-benchmarks]
3. Consolidate your security findings across accounts on to a dashboard
4. Supports integration with CloudWatch events, which lets you automate specific findings by defining custom actions and send them to a ticketing system.
The Components
Security Hub aggregates, organizes and prioritizes your security alerts or findings from multiple AWS services such as Amazon GuardDuty, Amazon Inspector, Amazon Macie and as well as 30+ partner solutions.
AWS Security Finding Format
AWS Security Hub findings from AWS Security Services and third party products are possessed by Security Hub using a standard finding format called AWS Security Finding Format (JSON Type). This basically eliminates the need of any time consuming data conversion efforts. These findings are correlated via Security Hub by some prioritizing.
Security Compliance
AWS Security Hub maintains its compliance with CIS AWS Benchmarks [2]. CIS Controls and CIS Benchmarks are the global standard and are recognized best practices for securing IT systems and data against the most pervasive attacks. Under CIS compliance guidelines, there are 43 compliance indicators, which are categorized under Identity Access Management (IAM), Monitoring and Logging features.
CIS Quick Start Deployment
In order to comply most of the non-complied features (which are listed under Security Hub dashboard), need to be corrected with the help of the Quick Start Deployment script [3] provided by AWS.
The Quick Start Deployment Script has to be executed as a CloudFormation script and it will generate multiple CloudWatch events, alarms and log filters, which are required for compliance. Once it runs, you can see a marked improvement in the compliance.
It is required to set up CloudTrail and AWS Config in all AWS regions before executing the task.
References
1. The Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/
2. CIS Benchmarking: https://www.cisecurity.org/cis-benchmarks/
3. CIS Quick Start Compliance Git (Original): https://github.com/aws-quickstart/quickstart-compliance-cis-benchmark