This was a Tech Talk done at Auxenta (Pvt) Ltd in Aug 2019

1. By Crishantha Nanayakkara
AWS Security Hub
Source: AWS Blogs

2. Agenda
●
What is Security Hub?
●
The Need
●
The Benefits
●
How it works
●
Security Hub – Integrations
●
Security Hub – Compliance
●
Pricing
●
Demo

3. Re­Invent 2018 – Security Hub Launch
Andy Jassy, AWS CEO at Re-Invent 2018, Las Vegas
Reference: https://www.youtube.com/watch?v=a4l1UCo3YHE

4. The Competition
Azure Security Center Google Cloud Security Command Center

5. The Need
●
Security Compliance Issues – Which Security
compliance is most suited?
●
So many security alert formats from different
security products – Need to spend a lot of money to
get them to a common format, which can be searched
and analyzed
●
Too many security alerts from so many products and
services
●
To have a single integrated view for all security
alerts

6. AWS Security Hub provides you with a comprehensive
view of your security state in your AWS environment and
helps you check your compliance with the security
industry standards and best practices.
What is Security Hub?
Security Hub collects security data from across AWS
accounts, services, and supported third­party partner
products and helps you analyze your security trends and
identify the highest priority security issues.

7. The Benefits
●
Reduces the effort to collect and prioritize security
findings across accounts from integrated AWS services
and AWS partner products.
●
Automatically runs continuous, account level
configuration and compliance checks based on
industry standards such as CIS benchmarking.
●
Consolidate your security findings across accounts on
to a dashboard.
●
Supports integration with CloudWatch events, which
lets you automate specific findings by defining custom
actions and send them to a ticketing system.

9. How it works
Security Hub aggregates, organizes and prioritizes your
security alerts or findings from multiple AWS services such as
Amazon GuardDuty, Amazon Inspector and Amazon Macie,
as well as from AWS partner solutions (30+)

11. ●
AWS GuardDuty: A threat detection service that continuously
monitors VPC flow logs, CloudTrail logs and DNS logs. It is an
intelligent threat detection service coupled with Lambda
functions to take actions.
●
AWS Inspector: A security assessment service, which is used
to check for application exposures.
●
AWS Macie: A security service that uses machine learning to
automatically discover, classify, and protect sensitive data in
AWS
Security Integrations ­ Services

12. Security Integrations ­ Partners
Extended the ecosystem to many security partner products

13. ●
AWS Security Hub Findings from AWS Security Services and
third party products are possessed by Security Hub using a
standard finding format called AWS Security Finding Format
(JSON type).
●
This basically eliminates the need of any time­consuming data
conversion efforts.
●
Then these findings are correlated via Security Hub by some
prioritization
●
Reference:
https://docs.aws.amazon.com/securityhub/latest/userguide/se
curityhub­findings­format.html
AWS Security Finding Format

14. Security Hub ­ Compliance
Only one Compliance Guideline (43) – CIS Benchmark

15. How to get there?

16. CIS Benchmarks
(https://www.cisecurity.org/cis­benchmarks/)
Resource: https://www.cisecurity.org/cis-benchmarks/

17. CIS AWS Benchmark Report V1.20
The checklist has three
main parts:
IAM, Logging, Monitoring

18. ●
The initial Quick Start Guide was created by
Accenture in collaboration with AWS.
●
Quick Start sets up the following:
– AWS Config Rules
– CloudWatch Alarms
– CloudWatch Events
– Lambda Functions
– AWS CloudTrail
CIS Quick Start Deployment

19. CIS Quick Start Deployment
Architecture

20. CIS Quick Start Deployment
(The Prerequisites)
Requires AWS CloudTrail and AWS Config
to be enabled in all AWS Regions

21. AWS Config
●
AWS Config provides a detailed view of the
configurations of AWS resources in an AWS account.

22. AWS CloudTrail
●
AWS Best Practice: Having the “trail” in a single
region

23. CIS Quick Start Deployment
(The Steps)
●
Once login to the AWS console, select the region you
want to run the compliance.
●
Move to “CloudFormation” on the console.
●
Select the CloudFormation Template from:
The original version is in:
https://github.com/aws­quickstart/quickstart­compliance­cis­bench
mark

24. CIS Quick Start Deployment
(The Steps)
●
If all go well, check Cloudwatch console for the
events and Logs.
●
You could see a separate set of events, alarms, filters
and lambda functions are installed on your setup.
●
These will basically set up the CIS compliance for
you!!

25. CIS Quick Start Deployment
(The Steps)
●
If all go well, check Cloudwatch console for the
events and Logs.
●
You could see a separate set of events, alarms, filters
and lambda functions are installed on your setup.
●
These will basically set up the CIS compliance for
you!!

26. References
●
CIS Quick Start Compliance Git (Original):
https://github.com/aws­quickstart/quickstart­compliance­cis­benchmark
●
CIS Benchmark Template Git (Modified):
https://github.com/cnanayakkara/cis­benchmark­template
●
AWS Control Tower and Security Hub:
https://aws.amazon.com/blogs/enterprise­strategy/aws­control­tower­and­a
ws­security­hub­powerful­enterprise­twins/
●
AWS Re­Inforce 2019:
https://www.youtube.com/watch?v=HsWtPG_rTak&t=1034s
●
AWS Security Hub – User Guide :
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub.pd
f
●
AWS CIS Quick Start Reference Deployment:
https://aws­quickstart.s3.amazonaws.com/quickstart­compliance­cis­benc
hmark/doc/cis­benchmark­on­the­aws­cloud.pdf

27. Thank YouThank You
Auxenta YouTube Channel: Auxenta YouTube Channel: Auxenta 360Auxenta 360
Auxenta VLOGS: Auxenta VLOGS: http://auxenta.com/vlog.phphttp://auxenta.com/vlog.php