Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Hub Enabled

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityHub-002

Ensure that Amazon Security Hub is enabled and configured in order to improve your security posture within AWS cloud. Security Hub eliminates the complexity of managing the security of your AWS cloud accounts and workloads. When Security Hub is enabled, it starts to collect, organize, and prioritize security findings from other security-oriented AWS cloud services such as intrusion detection findings from Amazon GuardDuty, vulnerability findings from Amazon Inspector, and sensitive data identification findings from Amazon Macie, or from third-party partner security tools. Security Hub is also generating its own findings as the result of running continuous configuration checks against the conformity rules supported by the industry-accepted best practices such as CIS AWS Foundations Benchmark. In addition, to eliminate the need for time-consuming data conversion processes, Amazon Security Hub can consume your own security findings using a standard format called AWS Finding Format, then correlates the findings across all providers to prioritize the most important ones. In the end, the security findings can be sent to a ticketing system like Atlassian Jira, to an email address, or to an auto-remediation function provided by Trend Cloud One™ – Conformity.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Cost
optimisation

Amazon Security Hub helps you check your AWS cloud environment against the latest security best practices and industry standards, provides a consolidated view of your security status in one place, and enables you to quickly assess your security posture across your AWS accounts.


Audit

To determine if Amazon Security Hub is enabled within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Security Hub console at https://console.aws.amazon.com/securityhub/.

03 If the console redirects you to the Get started with Security Hub landing page, the Amazon Security Hub service is not enabled within the current AWS region.

04 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-hub command (OSX/Linux/UNIX) to describe the date and time when the Security Hub service was enabled in the selected AWS region:

aws securityhub describe-hub
  --region us-east-1
  --query 'SubscribedAt'

02 The command output should return the Security Hub subscription date or an error message if the security service is not enabled:

An error occurred (InvalidAccessException) when calling the DescribeHub operation: Account 123456789012 is not subscribed to AWS Security Hub

If the describe-hub command output returns an "InvalidAccessException" error message such as the one listed above, the Amazon Security Hub service is not enabled in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To enable Amazon Security Hub the following requirements must be met:
1) AWS Config service must be enabled within your AWS account, and
2) a managed policy named "AWSSecurityHubFullAccess" must be attached to the IAM identity that enables and configures Security Hub. To enable the security service in your AWS cloud account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Security Hub console at https://console.aws.amazon.com/securityhub/.

03 Choose Go to Security Hub under Get started with Security Hub.

04 On the Enable AWS Security Hub setup page, select the security standards that you want to use for the current AWS account, then choose Enable Security Hub to enable the security service. A security standard, such as CIS AWS Foundations Benchmark, is a predefined collection of rules based on the AWS cloud and industry best practices. Once Amazon Security Hub is enabled, the service immediately begins to run continuous and automated checks on your AWS environment's resources against the rules included in the enabled standards. Security Hub generates findings based on the results of the checks defined within the enabled standards.

05 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run enable-security-hub command (OSX/Linux/UNIX) to enable Amazon Security Hub for the requesting AWS account. Include the --enable-default-standards parameter in the command request to enable the default security standards, i.e. CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices standards (the command does not produce an output):

aws securityhub enable-security-hub
  --region us-east-1
  --enable-default-standards

02 Change the AWS region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 23, 2022