Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Security Hub Insights

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that AWS Security Hub insights are regularly reviewed in order to highlight emerging security issues and trends that has been introduced recently within your AWS cloud environment. For example, Security Hub insights can help you to identify production EC2 instances that don't meet security standards and best practices or S3 buckets with public read or write permissions. A Security Hub insight is a collection of related security findings, collected from Amazon GuardDuty, AWS Inspector and AWS Macie, and from partner tools. An insight identifies a security area inside your AWS cloud environment that requires attention and intervention. Amazon Security Hub offers two types of insights managed (preconfigured) and custom which you can create and configure to track security issues that are unique to your environment.

Security

Security Hub insights are designed to quickly flag your AWS accounts and resources of most concern when it comes to security. Checking your security insights on a regular basis helps you keep up to date with the latest security vulnerabilities found by Security Hub providers (native and third-party) within your AWS environment. With Security Hub insights you can identify IAM users that had suspicious activity lately, AWS resources that deviated from current security standards and best practices, AWS resources that were recently involved in potential malicious behaviour and so on.

Note 1: AWS Security Hub can detect only the security findings that were generated after the service was enabled in your AWS account(s).
Note 2: As example, this conformity rule demonstrates how to analyze and solve a Security Hub findings detected by Amazon Inspector after evaluating an EC2 security group that has TCP port 21 (FTP), wide open (0.0.0.0/0) and reachable from the Internet.


Audit

To check your Amazon Security Hub insights for review purposes, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Insights to access the Security Hub insights listing page.

04 Choose the Security Hub insight (managed or custom) that you want to examine and check the results number available for the selected insight:

Current 0

If the number of results is zero (i.e. 0 current results), there are no related Security Hub findings collected by the Security Hub providers for the selected insight. If the number of results displayed for the Security Hub insight is different than zero, click on its title (link) to access the entry details.

05 On the selected insight page, click on the ARN (e.g. arn:aws:ec2:us-east-1:123456789012:instance/i-01234abcd1234abcd) of the AWS resource associated with the Security Hub insight, to access the related security findings detected for the resource.

06 Once the security findings collected by the selected insight are listed, follow the steps outlined in this conformity rule to evaluate each finding for remediation.

07 Repeat steps no. 4 – 6 to review other Amazon Security Hub insights available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run get-insights command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Security Hub insights available in the selected region:

aws securityhub get-insights
	--region us-east-1
	--query 'Insights[*].InsightArn'

02 The command output should return an array with the requested insight ARNs:

[
"arn:aws:securityhub:us-east-1:123456789012:insight/123456789012/custom/1234abcd-1234-abcd-1234-abcdabcdabcd",
"arn:aws:securityhub:us-east-1:123456789012:insight/123456789012/custom/aabbccdd-1234-abcd-1234-aaaabbbbcccc"
]

03 Run get-insight-results command (OSX/Linux/UNIX) using the ARN of the security insight that you want to examine as identifier, returned at the previous step, to describe the results for the selected AWS Security Hub insight:

aws securityhub get-insight-results
	--region us-east-1
	--insight-arn arn:aws:securityhub:us-east-1:123456789012:insight/123456789012/custom/1234abcd-1234-abcd-1234-abcdabcdabcd

04 The command output should return the requested metadata (including the ARN of the AWS resource associated with the selected insight):

{
    "InsightResults": {
        "ResultValues": [
            {
                "Count": 47,
                "GroupByAttributeValue": "arn:aws:ec2:us-east-1:123456789012:instance/i-01234abcd1234abcd"
            }
        ],
        "InsightArn": "arn:aws:securityhub:us-east-1:123456789012:insight/123456789012/custom/1234abcd-1234-abcd-1234-abcdabcdabcd",
        "GroupByAttribute": "ResourceId"
    }
}

05 Define a JSON document required for get-findings command filters, as shown in the example below, and save it in a file named insight-resource-id.json. Replace the ARN available within the Value attribute with the ARN of the AWS resource associated with the selected Security Hub insight, returned at the previous step as value for the "GroupByAttributeValue" attribute:

{
  "ResourceId": [
    {
      "Value": "arn:aws:ec2:us-east-1:123456789012:instance/i-01234abcd1234abcd",
      "Comparison": "EQUALS"
    }
  ]
}

06 Run get-findings command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the security findings detected for the AWS resource associated with the selected insight:

aws securityhub get-findings
	--region us-east-1
	--filters file://insight-resource-id.json
	--query 'Findings[*].Id'

07 The command output should return an array with the requested ARNs:

[  "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"arn:aws:inspector:us-east-1:123456789012:target/0-aabbccdd/template/0-1234abcd/run/0-abcdabcd/finding/0-aaaabbbb"
]

08 Once the ARNs of the security findings collected by the selected Amazon Security Hub insight are listed, follow the steps presented in this conformity rule to analyze each security finding for remediation.

09 Repeat steps no. 3 – 8 to review other Amazon Security Hub insights available in the selected region.

10 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To remediate related security findings available within an AWS Security Hub insight as described in the remediation recommendation provided by each finding, perform the following actions:

Note: As example, this conformity rule describes how to remediate the security findings collected by a managed Security Hub insight named "EC2 instances that allow password authentication on SSH and SSH port and are open to the internet".

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Insights.

04 Choose the Amazon Security Hub insight that you want to open (see Audit section part I to identify the right security insight), then click on the insight title (link) to view its details.

05 On the insight page, copy the ID of the AWS resource (in this case an EC2 instance) associated with the Security Hub insight available inside the ARN listed within the Resource ID column.

06 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

07 In the navigation panel, under INSTANCES, click Instances.

08 Paste the security group ID copied at step no. 5 inside the Filter by tags and attributes or search by keyword box and press Enter.

09 Select the EC2 instance listed by the AWS console, then click the Connect button from the dashboard top menu to get the information required to connect to the necessary EC2 instance via SSH.

10 Within Connect To Your Instance dialog box, choose whether to use a standalone SSH client like PuTTY or a Java SSH client directly from your browser to connect to the selected EC2 instance in order to solve the security finding (issue) found by the Security Hub providers.

11 Once you have connected to your EC2 instance operating system via SSH, follow the instructions provided by the AWS Security Hub finding in the Remediation section, i.e. "We recommend that you disable password authentication over SSH on your EC2 instance and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information, see https://aws.amazon.com/articles/1233/. If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses".

Using AWS CLI

01 Copy the ID of the AWS resource (i.e. EC2 instance) associated with the Security Hub insight available within the ARN returned as value for the "GroupByAttributeValue" attribute (see Audit section part II, step. no. 4 to identify the right instance ID).

02 Run describe-instances command (OSX/Linux/UNIX) using the EC2 resource ID copied at the previous step to describe the configuration attributes of the EC2 instance targeted by the Security Hub insight findings:

aws ec2 describe-instances
	--region us-east-1
	--instance-ids i-01234abcd1234abcd

03 The command output should return the requested EC2 instance configuration details such as instance Public/Elastic IP, SSH key name, etc:

{
    "Reservations": [
        {
            "OwnerId": "123456789012",
            "ReservationId": "r-a1234abcd1234abcd",
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": false,
                    "LaunchTime": "2018-12-10T05:08:56.000Z",
                    "PublicIpAddress": "10.0.0.1",
                    "PrivateIpAddress": "172.31.14.25",
                    "InstanceId": "i-01234abcd1234abcd",
                    "EnaSupport": true,
                    "PrivateDnsName": "ip-172-31-14-25.ec2.internal",

                    ...

                    "KeyName": "ssh-access-key",
                    "SecurityGroups": [
                        {
                            "GroupName": "cc-web-security-group",
                            "GroupId": "sg-12341234"
                        }
                    ],
                    "SubnetId": "subnet-abcdabcd",
                    "InstanceType": "c4.xlarge",
                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1a"
                    },
                    "Hypervisor": "xen",
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "AmiLaunchIndex": 0
                }
            ]
        }
    ]
}

04 Use the instance configuration details returned at the previous step with your favorite SSH client to connect to the selected EC2 instance in order to solve the security finding collected within the selected AWS Security Hub insight.

05 Once you have connected to your EC2 instance through SSH, follow the instructions provided by the AWS Security Hub finding in the Remediation section, i.e. "We recommend that you disable password authentication over SSH on your EC2 instance and enable support for key-based authentication instead. This significantly reduces the likelihood of a successful brute-force attack. For more information, see https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/. If password authentication is supported, it is important to restrict access to the SSH server to trusted IP addresses".

References

Publication date Dec 14, 2018