Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Security Hub Findings

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Mixed (depends on finding criticality/severity)

Check for AWS Security Hub findings in order to identify, analyze and take all the necessary actions to resolve the highest priority security issues within your AWS cloud environment. A Security Hub finding is a potential security risk such as a wide open port like TCP port 22 (SSH) or an AWS root user that is not configured to use Multi-Factor Authentication (MFA) during login. Amazon Security Hub collects, organizes and prioritizes security findings from supported AWS and third-party services, as well as generating its own findings as the result of running continuous configuration checks against the conformity rules supported by the industry-accepted best practices such as CIS AWS Foundations Benchmark – a set of security configuration best practices for Amazon Web Services. The Security Hub service aggregates findings from native AWS services enabled in your account(s), such as vulnerability scans from AWS Inspector service, intrusion detection findings from AWS GuardDuty and sensitive data identification findings from AWS Macie. In addition, to eliminate the need for time-consuming data conversion processes, Amazon Security Hub consumes your security findings using a standard findings format called AWS Finding Format, then correlates the findings across providers to prioritize the most important ones. In the end your security findings can be sent to a ticketing system like Atlassian Jira, to an email address or to an auto-remediation function provided by Cloud Conformity platform.

Security

Amazon Security Hub brings together your findings to show you the current security and compliance status of your AWS cloud environment in one place. With AWS Security Hub findings you can greatly reduce the effort of collecting and prioritizing security findings across AWS accounts, from native AWS services (i.e. Amazon GuardDuty, Inspector and Macie) and third-party provider tools, and reduce the time needed for remediation tasks.

Note 1: AWS Security Hub can detect only the security findings that were generated after the service was enabled in your AWS account(s).
Note 2: As example, this conformity rule demonstrates how to analyze and solve a Security Hub findings detected by Amazon Inspector after evaluating an EC2 security group that has TCP port 21 (FTP), wide open (0.0.0.0/0) and reachable from the Internet.


Audit

To check for Amazon Security Hub findings within your AWS account(s), perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Findings. If no potential security issues were found by the service providers (AWS-based and third-party), the Amazon Security Hub findings list is empty, otherwise the service dashboard is listing all the issues found based on their severity.

04 Choose a Security Hub finding that you want to examine, then click on finding title (link) available in the Title column.

05 Once the finding description panel is open, analyze the selected entry by checking the most important attributes:

  1. Title – the name of the finding, e.g. "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet."
  2. Description – a detailed description of the security finding which includes the AWS resources affected by the security risk e.g. "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234."
  3. Account ID – the ID number of the AWS account where the potential security issue described by the selected finding was found.
  4. Severity label – the severity label associated with the finding, e.g. "Medium". Possible values are High, Medium, Low and Informational.
  5. Product – the solution/service that generates the finding, e.g. "Inspector" (AWS Inspector service).
  6. Compliance status – describes the result of the compliance check. Valid values are: "PASSED" (all resources that were checked were found in compliance with the check), "WARNING" (there is configuration information that needs to be supplied that is lacking), "FAILED" (all resources that were checked failed the check) and "NOT_AVAILABLE" (the check could not be performed due to a service outage, an API error, etc).
  7. Resources – a set of configuration attributes that describe the resources to which the selected finding refers, e.g. "Resource type: AwsEc2Instance", "Resource ID: arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789", "Resource region: us-east-1".
  8. Workflow:
    • Record State – the record state of the security finding. Valid values are "ACTIVE" and "ARCHIVED".
    • Remediation – provides a recommendation on how to remediate the issue identified by the selected finding, e.g. "You can edit the Security Group sg-abcdabcd123456789 to remove access from the internet on port 21".

06 Based on the information returned at the previous step you can analyze the security finding and make a plan to implement the recommended fix (see Remediation/Resolution section for step by step remediation).

07 Repeat steps no. 4 – 6 to analyze other Amazon Security Hub findings found within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run get-findings command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Security Hub-aggregated findings available within the selected region:

aws securityhub get-findings
	--region us-east-1
	--query 'Findings[*].Id'

02 The command output should return an array with the requested ARNs:

[
"arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"arn:aws:inspector:us-east-1:123456789012:target/0-aabbccdd/template/0-1234abcd/run/0-abcdabcd/finding/0-aaaabbbb",

...

"arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/12341234-abcd-1234-abcd-123412341234",
"arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/1234abcd-1234-abcd-1234-1234abcd1234"
]

03 Create a JSON document required for get-findings command filtering, as shown in the example below, and save it in a file named finding-id.json. Make sure that you replace the ARN of the Security Hub finding listed for the Value attribute with the ARN of the finding that you want to examine:

{
  "Id": [
    {
      "Value": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
      "Comparison": "EQUALS"
    }
  ]
}

04 Execute get-findings command (OSX/Linux/UNIX) using the ARN of the finding that you want to examine as identifier, listed within finding-id.json document, to describe the selected Amazon Security Hub finding:

aws securityhub get-findings
	--region us-east-1
	--filters file://finding-id.json

05 The command output should return the configuration metadata for selected security finding:

{
    "Findings": [
        {
            "LastObservedAt": "2018-12-10T08:54:03Z",
            "FirstObservedAt": "2018-12-10T08:54:03Z",
            "GeneratorId": "arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd",
            "Severity": {
                "Product": 9,
                "Normalized": 45
            },
            "Title": "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet.",
            "Resources": [
                {
                    "Region": "us-east-1",
                    "Partition": "aws",
                    "Type": "AwsEc2Instance",
                    "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789",
                    "Details": {
                        "AwsEc2Instance": {
                            "SubnetId": "subnet-abcd1234",
                            "VpcId": "vpc-12345678",
                            "ImageId": "ami-012345678aaaabbbb"
                        }
                    }
                }
            ],
            "WorkflowState": "NEW",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
            "Confidence": 10,
            "ProductFields": {
                "attributes:7/key": "SECURITY_GROUP",
                "attributes:9/value": "acl-1234abcd",
                "aws/securityhub/ProductName": "Inspector",
                "attributes:7/value": "sg-012345678abcdabcd",
                "attributes:4/value": "TCP",
                "attributes:1/key": "RULE_TYPE",
                "serviceAttributes/schemaVersion": "1",
                "attributes:5/value": "igw-abcd1234",
                "serviceAttributes/rulesPackageArn": "arn:aws:inspector:us-east-1:123456789012:rulespackage/0-abcdabcd",
                "attributes:6/key": "VPC",
                "attributes:4/key": "PROTOCOL",
                "attributes:3/value": "FTP",
                "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
                "attributes:6/value": "vpc-12345678",
                "attributes:9/key": "ACL",
                "attributes:0/value": "eni-089c2f505015c6291",
                "aws/securityhub/SeverityLabel": "MEDIUM",
                "attributes:10/value": "i-0abcd1234abcd1234",
                "attributes:3/key": "PORT_GROUP_NAME",
                "attributes:8/key": "REACHABILITY_TYPE",
                "attributes:2/value": "21",
                "attributes:5/key": "IGW",
                "attributes:2/key": "PORT",
                "attributes:1/value": "RecognizedPortNoAgent",
                "attributes:8/value": "Internet",
                "serviceAttributes/assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd",
                "attributes:10/key": "INSTANCE_ID",
                "attributes:0/key": "ENI",
                "aws/securityhub/CompanyName": "AWS"
            },
            "RecordState": "ACTIVE",
            "CreatedAt": "2018-12-10T08:54:03Z",
            "UpdatedAt": "2018-12-10T08:54:03Z",
            "Remediation": {
                "Recommendation": {
                    "Text": "You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21."
                }
            },
            "Description": "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234.",
            "SchemaVersion": "2018-10-08",
            "Id": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
            "Types": [
                "Software and Configuration Checks/AWS Security Best Practices/Network Reachability - Recognized port reachable from internet"
            ],
            "AwsAccountId": "123456789012"
        }
    ]
}

06 Analyze the metadata returned for the selected security finding by checking the following output attributes:

  1. "Title" – the name of the finding, e.g. "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet."
  2. "Description" – a detailed description of the security finding which includes the AWS resources affected by the security risk e.g. "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234."
  3. "AwsAccountId" – the ID number of the AWS account where the potential security issue described by the selected finding was found, e.g. "123456789012".
  4. "ProductFields.aws/securityhub/SeverityLabel" – the severity label associated with the finding, e.g. "MEDIUM". Possible values are "HIGH", "MEDIUM", "LOW" and "INFORMATIONAL".
  5. "ProductFields.aws/securityhub/ProductName" – the service/solution that generates the finding, e.g. "Inspector" (AWS Inspector service).
  6. "Compliance.Status" – describes the result of the compliance check. Valid values are: "PASSED" (all resources that were checked were found in compliance with the check), "WARNING" (There is configuration information that needs to be supplied that is lacking), "FAILED" (all resources that were checked failed the check) and "NOT_AVAILABLE" (the check could not be performed due to a service outage, an API error, etc).
  7. "Resources"– an array that contains the configuration attributes of the resources to which the selected finding refers, e.g. "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789", "Region": "us-east-1", etc.
  8. "RecordState" – the record state of the security finding. Valid values are "ACTIVE" and "ARCHIVED".
  9. "Remediation.Recommendation" – provides a suggestion on how to remediate the issue identified by the selected finding, e.g. "You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21".

07 Based on the metadata returned at the previous step you can analyze the security risk described by the finding and implement the recommended fix.

08 Repeat steps no. 3 – 7 to check and analyze other Amazon Security Hub findings found in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To solve the security issue associated with your Amazon Security Hub finding as described by the remediation recommendation provided by the finding (in this case updating an EC2 security group to remove inbound access on TCP port 21), perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Findings.

04 Select the Security Hub finding that you want to resolve, then click on finding title (link) available in the Title column.

05 On the selected finding description panel, inside the Workflow section, copy the ID of the insecure EC2 security group available within the finding remediation recommendation (e.g. sg-abcdabcd123456789).

06 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

07 In the navigation panel, under NETWORK & SECURITY, click Security Groups.

08 Paste the security group ID copied at step no. 5 inside the Filter by tags and attributes or search by keyword box and press Enter. The AWS console should return the specified EC2 security group.

09 Select the Inbound tab from the dashboard bottom panel and click Edit to update the existing configuration.

10 In the Edit inbound rules dialog box, choose the ingress rule that has the xPort Range value set to 21 and the Source value set to 0.0.0.0/0 and remove it by clicking the x (delete) button available next to the chosen rule.

11 Click Save to apply the changes and return to the EC2 dashboard.

Using AWS CLI

01 Copy the ID of the EC2 security group described within the selected finding remediation (see Audit section part II, step. no. 5, "Remediation.Recommendation" attribute value to identify the right resource ID).

02 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the security group ID copied at the previous step as identifier, to delete the ingress rules that allow unrestricted inbound access (i.e. 0.0.0.0/0) on port 21 (FTP), as described by the selected Amazon Security Hub finding. The following command example removes an inbound rule that allows public access on TCP port 21 (FTP), from an EC2 security group identified by the ID "sg-abcdabcd123456789" (the command does not produce an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-abcdabcd123456789
	--protocol tcp
	--port 21
	--cidr 0.0.0.0/0

References

Publication date Dec 14, 2018