AWS Security Hub (I). The orchestra conductor which protect your IT solutions on the cloud

AWS Security Hub is a great approach to gather findings from several AWS services as well as Security partners like Sophos, Barracuda or Splunk. It brings fresh air to the AWS strategy to protect your data against hackers.

If you pay attention to the AWS current security services you would think they work on their own and not like a team. Even more if you come from Azure where Security Center and Sentinel combine very clearly their capacities.

In the case of AWS, you have to figure out how to set up the right approach leveraging at least the potential of three AWS security services to ingest data on Security Hub:

  • AWS GuardDuty + (Likely use AWS Detective with it)
  • AWS Macie
  • AWS Identity and Access Management

Even maybe you can include AWS Firewall Manager. Anyway, just show a first approach on how to connect each services with Security hub, i´ve drawn what i think would sum up how they can interact together to move on in the right direction.

Aws Security hub as the important piece of our puzzle

AWS Security hub receive a lot of information from several AWS services and can provide some specific dashboards with a very easy to use and comprehensive console. So your blue team can execute the right strategy to prevent and react with incidents or strange users behaviours.

Don´t get struggle with so many AWS security services and names. It´s easier than you expect..Cognito, AWS Shield, Amazon inspector, or others are just used in specific scenarios..

So based in our scenario above, we are going to deep dive in the different tools and how they serve the data to Security Hub. Let´s start:

GuardDuty. It´s a threat detection solution that you can enable when needed and monitors malicious or unauthorized users or roles behaviours. For example, unusual or failed API calls, unauthorized scripts or json deployment, suspicious traffic from or to a Virtual Machine.

It takes the data from DNS logs, VPC Flow and CloudTrail which read logs of several user or rol logins, diagnostics logs, etc in your AWS accounts. Take into account that GuardDuty doesn´t retain your logs, just read them, identify findings and discard them. It works in the backend so there isn´t impact in terms of performance. Finally to point it out, AWS, include a new component to get information, Intelligent threat source from AWS and partners, which makes even more powerful and flexible the AWS Service.

AWS Macie. Use machine learning to discover, classify and protect the data you have at rest in thousands of S3 folders. So you can understand what data do you have and how your users and roles are accessing it.

So it works providing alerts on critical information not protected or exposed somehow to the bad guys as well as combine CloudTrail information to see if someone tries to leverage the hole or vulnerability.

AWS IAM access analyzer. First let´s understand for those with no experience in AWS, what is IAM. Amazon Identity and Access Management (IAM) is a web service that helps you securely control access to Amazon resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. Once we do this introduction, it´s time we´ll focus on this service.

AWS IAM analyzer is based in zones of trust. When we enable Access Analyzer, we can create an analysis for all our AWS accounts or maybe just one account. Therefore, the AWS organization or AWS account we choose is known as the zone of trust for the analyzer.

Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, Access Analyzer analyzes these policies from time to time. If a new policy is added, or modify, Access Analyzer analyzes the new or updated policy within about 30 minutes. If the tool finds an external entity such as another AWS account which belongs to other company, a AWS role or service or even a federeted user, it will generate a finding where indicates details as permissions granted and possible risk of compromise data. You can fix the security hole and If you want to confirm that the change you make to a policy resolves an access issue reported in a finding, you can once again rescan the resource reported in a finding by using the Rescan link. So you are sure you solve the issue.

To recap, Amazon GuardDuty, AWS Macie and AWS Analyzer are the pillars of the data ingested and KPIs to AWS Security Hub. AWS Firewall Manager , AWS detective or CloudWatch can add in some cases more value to the dashboards with your security posture for your AWS organization or AWS account.

In the next post, now that you understood well several AWS Security services, we´ll explain how Security Hub works and why it´s a big change on how to maintain security posture and compliance in the suitable way it should be.

NOTE: Amazon Directory Services should be explained from my point of view separately from the rest as it´s related to users authentication and authorisation in Microsoft environments

Moreover AWS engineers use to include those tools in the AWS Security Webinars and for me, it makes more confusing the AWS security posture to those guys who are just starting with AWS cloud.

Enjoy the journey to the cloud with me…see you soon.


To understand the challenge on how to address issues and incidents is not easy peasy. Not in an on premise IT infrastructure neither in the cloud. AWS has a clear roadmap to prioritize what it´s important and what not so important.

As in any approach related to technology on the cloud there are some native tools to be use and leverage to protect, monitor and reduce IT services exposures and vulnerabilities. Even some quite powerful thirty party security solutions well integrated in each cloud workload.

Aws security areas and tools provided to achieve the security posture

But before all of this, let start with the foundations on security posture.

AWS consider there is a shared responsibility model between the customers and their cloud. Maybe you know, but for those who think that the cloud native security solutions and the cloud provider will do all the work end-to-end full stack, we need to clarify this point.

AWS will be responsable for the security of their foundation services and global infrastructure. Customers will be responsable for all related to their workloads and IT solutions on the cloud as well as all related to business logic and processes deployed on AWS data centers.

Security should evolve with your landing zone on the cloud in parallel. Many companies struggle with this area trying to reduce the exposure to hackers after some real time services are already deployed.

Added to this, AWS has seven security principles to follow:

Least Privilege – Reduce as much as possible the permissions or credentials you are using on AWS for each IT Service you deployed.

Monitor and troubleshoot your logs and metrics. – Collect the logs and critical metrics from our IT services with AWS native tools or from other vendors. Design and configure alerts and messages to be on time to react on security issues.

Secure all Layers. From storage and networking to the applications. Moreover, to achieve the right security level you need to combine a security posture layer by layer. For example, storage data at rest and in transit, filter network traffic from origin to destination or how to authorize an API to get information from your applications would be part of you global full stack hardening strategy. To achieve that just combine the right AWS Services.

Automate as much as possible. Standardize blue prints for your infrastructure using IaC is part of this goal as well as repetitive tasks to access applications or databases. Remember a previous post about this. Take care with Automation silos or workarounds, it should be a holistic approach on your Hybrid cloud model or public cloud scenario.

Protect data in transit and at rest. This is part of the Secure all layers principle. But AWS find it so crucial that wants to remark that it´s important. But to be able to achieve this goal you need to identify, classify and tag the appropriate item or data in the most suitable way.

Security events as a solid pillar. To react against a hacker attack and provide a feasible reliability you need to design a repository to gather logs and metadata. Collect the events, prepare tracking strategy and granular alarms.

Reduce attack surface. Therefore, if you have the right guardrails, the right desire state configuration based on automation. If you have an approach with a layer by layer combining native AWS security tools as well as thirty party providers, you can minimize attacks and be ready to react.

So what kind of native security tools can i use to achieve those principals?

We can use tools such as Amazon Guard Duty to detect threats, Cloud Watch events to monitor and track your logs as well as Security Hub to consolidate security automation and compliance or regulations. Even Amazon Macie to review your protection at rest or leverage AWS control tower when starting with the journey to the AWS cloud.

In the next post we will see how use these tools and what kind of dependences and relations exist between them to bring the best in class hardening of your cloud IT Services.

Enjoy the journey to the cloud with me…see you soon.