Ensure that AWS Security Hub insights are regularly reviewed in order to highlight emerging security issues and trends that has been introduced recently within your AWS cloud environment. For example, Security Hub insights can help you to identify production EC2 instances that don't meet security standards and best practices or S3 buckets with public read or write permissions. A Security Hub insight is a collection of related security findings, collected from Amazon GuardDuty, AWS Inspector and AWS Macie, and from partner tools. An insight identifies a security area inside your AWS cloud environment that requires attention and intervention. Amazon Security Hub offers two types of insights managed (preconfigured) and custom which you can create and configure to track security issues that are unique to your environment.
Security Hub insights are designed to quickly flag your AWS accounts and resources of most concern when it comes to security. Checking your security insights on a regular basis helps you keep up to date with the latest security vulnerabilities found by Security Hub providers (native and third-party) within your AWS environment. With Security Hub insights you can identify IAM users that had suspicious activity lately, AWS resources that deviated from current security standards and best practices, AWS resources that were recently involved in potential malicious behaviour and so on.
Note 1: AWS Security Hub can detect only the security findings that were generated after the service was enabled in your AWS account(s).
Note 2: As example, this conformity rule demonstrates how to analyze and solve a Security Hub findings detected by Amazon Inspector after evaluating an EC2 security group that has TCP port 21 (FTP), wide open (0.0.0.0/0) and reachable from the Internet.
Audit
To check your Amazon Security Hub insights for review purposes, perform the following actions:
Remediation / Resolution
To remediate related security findings available within an AWS Security Hub insight as described in the remediation recommendation provided by each finding, perform the following actions:
Note: As example, this conformity rule describes how to remediate the security findings collected by a managed Security Hub insight named "EC2 instances that allow password authentication on SSH and SSH port and are open to the internet".References
- AWS Documentation
- AWS Security Hub
- AWS Security Hub features
- AWS Security Hub FAQs
- What Is AWS Security Hub?
- AWS Security Hub Terminology and Concepts
- Insights in AWS Security Hub
- Managed Insights
- Custom Insights
- Findings Providers in AWS Security Hub
- Tips for Securing Your EC2 Instance
- AWS Command Line Interface (CLI) Documentation
- securityhub
- get-insights
- get-insight-results
- get-findings
- ec2
- describe-instances