AWS Security Hub is a great approach to gather findings from several AWS services as well as Security partners like Sophos, Barracuda or Splunk. It brings fresh air to the AWS strategy to protect your data against hackers.
If you pay attention to the AWS current security services you would think they work on their own and not like a team. Even more if you come from Azure where Security Center and Sentinel combine very clearly their capacities.
In the case of AWS, you have to figure out how to set up the right approach leveraging at least the potential of three AWS security services to ingest data on Security Hub:
- AWS GuardDuty + (Likely use AWS Detective with it)
- AWS Macie
- AWS Identity and Access Management
Even maybe you can include AWS Firewall Manager. Anyway, just show a first approach on how to connect each services with Security hub, i´ve drawn what i think would sum up how they can interact together to move on in the right direction.
AWS Security hub receive a lot of information from several AWS services and can provide some specific dashboards with a very easy to use and comprehensive console. So your blue team can execute the right strategy to prevent and react with incidents or strange users behaviours.
Don´t get struggle with so many AWS security services and names. It´s easier than you expect..Cognito, AWS Shield, Amazon inspector, or others are just used in specific scenarios..
So based in our scenario above, we are going to deep dive in the different tools and how they serve the data to Security Hub. Let´s start:
GuardDuty. It´s a threat detection solution that you can enable when needed and monitors malicious or unauthorized users or roles behaviours. For example, unusual or failed API calls, unauthorized scripts or json deployment, suspicious traffic from or to a Virtual Machine.
It takes the data from DNS logs, VPC Flow and CloudTrail which read logs of several user or rol logins, diagnostics logs, etc in your AWS accounts. Take into account that GuardDuty doesn´t retain your logs, just read them, identify findings and discard them. It works in the backend so there isn´t impact in terms of performance. Finally to point it out, AWS, include a new component to get information, Intelligent threat source from AWS and partners, which makes even more powerful and flexible the AWS Service.
AWS Macie. Use machine learning to discover, classify and protect the data you have at rest in thousands of S3 folders. So you can understand what data do you have and how your users and roles are accessing it.
So it works providing alerts on critical information not protected or exposed somehow to the bad guys as well as combine CloudTrail information to see if someone tries to leverage the hole or vulnerability.
AWS IAM access analyzer. First let´s understand for those with no experience in AWS, what is IAM. Amazon Identity and Access Management (IAM) is a web service that helps you securely control access to Amazon resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. Once we do this introduction, it´s time we´ll focus on this service.
AWS IAM analyzer is based in zones of trust. When we enable Access Analyzer, we can create an analysis for all our AWS accounts or maybe just one account. Therefore, the AWS organization or AWS account we choose is known as the zone of trust for the analyzer.
Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, Access Analyzer analyzes these policies from time to time. If a new policy is added, or modify, Access Analyzer analyzes the new or updated policy within about 30 minutes. If the tool finds an external entity such as another AWS account which belongs to other company, a AWS role or service or even a federeted user, it will generate a finding where indicates details as permissions granted and possible risk of compromise data. You can fix the security hole and If you want to confirm that the change you make to a policy resolves an access issue reported in a finding, you can once again rescan the resource reported in a finding by using the Rescan link. So you are sure you solve the issue.
To recap, Amazon GuardDuty, AWS Macie and AWS Analyzer are the pillars of the data ingested and KPIs to AWS Security Hub. AWS Firewall Manager , AWS detective or CloudWatch can add in some cases more value to the dashboards with your security posture for your AWS organization or AWS account.
In the next post, now that you understood well several AWS Security services, we´ll explain how Security Hub works and why it´s a big change on how to maintain security posture and compliance in the suitable way it should be.
NOTE: Amazon Directory Services should be explained from my point of view separately from the rest as it´s related to users authentication and authorisation in Microsoft environments
Moreover AWS engineers use to include those tools in the AWS Security Webinars and for me, it makes more confusing the AWS security posture to those guys who are just starting with AWS cloud.
Enjoy the journey to the cloud with me…see you soon.