Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect AWS Security Hub Configuration Changes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: SecurityHub-001

Ensure that AWS Security Hub security standards, enabled within your AWS account(s), are reviewed in order to decide whether or not these standards should be considered unwanted and disabled.

Note 1: You can easily enable and disable configuration changes that you would like to monitor for this rule on Cloud Conformity console based on your requirements.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Cloud Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Security Hub service level, within your AWS account.


Security Hub is the AWS service that collects, organizes and prioritizes security findings (i.e. potential security risks) from supported AWS and third-party services, as well as generating its own findings as the result of running continuous configuration checks against the conformity rules supported by the industry best practices such as CIS AWS Foundations Benchmark – a set of security configuration best practices for AWS cloud. The Security Hub service aggregates findings from native AWS services enabled in your account(s), such as vulnerability scans from AWS Inspector service, intrusion detection findings from AWS GuardDuty and sensitive data identification findings from Amazon Macie. The main purpose of Amazon Security Hub is to help you obtain and view the overall security and compliance status of your AWS cloud environment in one place. As a security best practice, you need to be aware of all configuration changes made at the AWS Security Hub level, changes such as disabling the service, enabling/disabling security standards, creating/deleting insights and so on. The activity detected by this Cloud Conformity RTMA rule could be any root/IAM user request initiated through AWS Management Console or any AWS API request initiated programmatically using AWS CLI or SDKs, that triggers any of the Amazon Security Hub service actions listed below:

"AcceptInvitation" - Accepts the invitation to be monitored by a master Security Hub account.

"BatchEnableStandards" - Enables the supported standards (for example, CIS AWS Foundations) specified by the standards ARNs.

"BatchDisableStandards" - Disables the supported standards specified by the standards subscription ARNs.

"BatchImportFindings" - Imports Security Hub findings that are generated by the integrated third-party providers.

"CreateInsight" - Creates an insight, i.e. a collection of findings that identifies a security area within your AWS environment that requires attention and/or intervention.

"CreateMembers" - Creates member Security Hub accounts within the current AWS account (which becomes the master Security Hub account) that has Security Hub service enabled.

"DeclineInvitations" - Declines invitations that are sent to the current AWS account (invitee) by other AWS accounts (inviters).

"DeleteInsight" - Deletes a security insight specified by the insight Amazon Resource Name (ARN).

"DeleteInvitations" - Deletes invitations that are sent to the current AWS account (invitee) by the AWS accounts (inviters).

"DeleteMembers" - Deletes the Security Hub member accounts that are specified by the account IDs.

"DisableImportFindingsForProduct" - Stops you from importing security findings generated by third-party providers into Security Hub.

"DisableSecurityHub" - Disables the Amazon Security Hub service.

"DisassociateFromMasterAccount" - Disassociates the current Security Hub member account from its master account.

"DisassociateMembers" - Disassociates the Security Hub member accounts that are specified by the account IDs from their master account.

"EnableImportFindingsForProduct" - Enables you to import findings generated by integrated third-party providers into Security Hub.

"EnableSecurityHub" - Enables the AWS Security Hub service.

"InviteMembers" - Invites other AWS accounts to enable AWS Security Hub and become Security Hub member accounts.

"UpdateInsight" - Updates the Amazon Security Hub insight specified by the insight ARN.

"BatchUpdateFindings" - Updates the Amazon Security Hub findings specified by their investigation.

Security Hub is the AWS service that gives you a broad view of your high-priority security alerts and compliance status across your AWS accounts. As a comprehensive monitoring tool, specially designed for multi-account AWS environments, Cloud Conformity strongly recommends that you avoid as much as possible to provide your non-privileged IAM users the permission to change the Security Hub service configuration within your Amazon Web Services master account.

The communication channels required for sending RTMA notifications can be configured in your Cloud Conformity account. The list of supported communication channels that you can use to receive configuration change alerts for Amazon Security Hub are SMS, Email, PagerDuty, Slack, Zendesk and ServiceNow.

Remediation / Resolution

The detailed visibility that you gain into your cloud environment activity is a key aspect of security and operational best practices. Using Cloud Conformity RTMA to detect Amazon Security Hub configuration changes, can help you prevent any accidental or intentional modifications that may lead to security breaches or unauthorized access to AWS resources and services. With Amazon Security Hub you continuously monitor your AWS accounts using automated compliance checks based on industry best practices or security standards that your organization follows closely, therefore detecting any configuration change made at the Security Hub service level is essential for keeping your AWS cloud environment secure.

References

Publication date Dec 14, 2018