AWS Security Hub is a AWS managed cloud service that helps companies and enterprises gather, analyze, and manage cloud security findings. Learn how companies use Security Hub and read best practices for getting started with AWS Security Hub.
What is AWS Security Hub?
AWS Security Hub is an Amazon Web Services (AWS) provided service for aggregating, viewing, and managing security alerts and findings across your cloud environments.
Security Hub enables teams to gather and manage security findings from AWS services, AWS Partner Solutions, and third-party security solutions and in one single view. Teams can collect security information for services including Amazon GuardDuty, IAM Access Analyzer, Amazon Macie, AWS Firewall Manager and AWS Partner solutions.
While other solutions may be available to gather findings from AWS services, Security Hub is specifically built as solution for managing AWS security findings.
Why Do Teams Use Security Hub?
DevOps and SecOps teams leverage a number of cloud security services when building and managing applications and workloads in AWS and the public cloud.
When managing applications in the cloud, security teams may implement services in to manage processes such as:
- Generating and collecting logs – with CloudTrail, CloudWatch, or similar
- Intrusion detection – with AWS GuardDuty or similar
- Vulnerability scanning – with AWS Inspector or similar
- Anti-virus solutions
- Endpoint Monitoring
- Cloud configuration management
All of these services generate security findings that need to be acted upon and resolved by the security team. For example, teams may need to update a vulnerable dependency discovered in vulnerability scanning, or remediate detected malware. Security Hub allows AWS users to gather security findings from all of these different services in one place and better view, sort, and act of these findings. Teams can use Security Hub to automate collection of security findings and remediation of cloud security issues.
What Are Some Use Cases for Security Hub?
There a several reasons why DevOps and Security teams may use AWS Security Hub within their organization. Security Hub provides teams with the following capabilities:
- Provides a central place to view events and findings from multiple security sources and AWS services
- Provides the ability to connect findings from multiple AWS accounts
- Provides view of your security alerts and security posture across your AWS accounts.
- Provides teams with the ability to search through all collected security findings
- Provides teams with standardized insights related to findings.
Security Hub provide more power insight into services such as EC2 and managed AWS services such as Amazon RDS and Lambda. Teams that utilize many AWS managed services and/or multiple AWS accounts may find more value in the service.
Ultimately, Security Hub is an AWS specialized service that teams may consider using Security Hub as one part of their cloud native security process.
What AWS Services Work with Security Hub?
AWS Security Hub can connect and digest findings from many data sources, including AWS cloud security services.
Currently users can connect Security Hub to AWS cloud services including:
AWS CloudTrail – To gather events and API calls that occur across AWS and your cloud environment
AWS GuardDuty – To gather intrusion detection data as it relates to cloud resources such as EC2 instances
AWS Macie – To gather data classification information and findings related to personally identifiable information (PII)
AWS Inspector – To gather events related to vulnerability scanning specifically related to EC2 instances
IAM Access Analyzer – To gather security information and alerts related to IAM users, roles, and permissions.
AWS Firewall Manager – To gather events related to AWS WAF, AWS Shield and Amazon VPCs
In order to get a better view of security events across your environment, it is recommended that teams enable AWS CloudTrail, AWS GuardDuty, AWS Macie, AWS Inspector in all AWS Accounts, to collect relevant security findings.
What Security Controls Can Be Enabled with Security Hub?
Alongside the large number of security solutions and cloud services can be connected to Security Hub, security teams can also leverage specific AWS provide controls sets across their cloud environments.
AWS Security Hub provides control sets for the following standards:
- CIS AWS Foundations
- Payment Card Industry Data Security Standard (PCI DSS)
- AWS Foundational Security Best Practices
Your team can enable one or more of these sets of controls in order to monitor configuration across your cloud. After enabling these standards AWS will start gathering security findings related to these controls.
In addition, teams can use a solution such as Dash ComplyOps in order to gather security findings and connect Security Hub findings to compliance standards and controls including HIPAA, SOC 2, NIST CSF and more. With Dash, your team can digest Security Hub events, map these findings to standards within compliance frameworks, and create robust controls sets to meet security and compliance needs.
What Security Hub Integrations Are Available?
Aside from collecting insight and findings from AWS native security services, AWS Security Hub can automatically aggregate security findings data from supported AWS Partner security solutions, so your team can get a more comprehensive view of security and compliance across your AWS environment.
This means third-party security solutions used by your team can be connected to Security Hub alongside AWS services. Many popular products and services used for threat detection, endpoint protection, anti-virus, and security configuration can integrate with Security Hub.
Teams can connect Security Hub to services such as:
- Dash ComplyOps
How Do Teams Manage Compliance with Security Hub?
Security Hub is a great service for gathering information across AWS cloud accounts. Security leaders can gather events and findings from AWS cloud services and 3rd party security solutions. Once these security events are being collected by Security Hub, it is up to the organization to establish a workflow related to security findings.
Dash ComplyOps provides teams with a solution for digesting Security Hub findings and managing security events as they relate to compliance standards and security programs. Security teams can use Dash to map Security Hub findings to regulatory and compliance standards including SOC 2, HIPAA, HITRUST and more. Learn how your team can manage compliance with Dash and Security Hub.