How to stay on top of security with AWS Security Hub

When it comes to securing your AWS environment, there are lots of services you can use to detect, protect, monitor and remediate threats. So many, in fact, it can be a bit overwhelming to constantly manage them all! Thankfully, AWS has thought of that, and provided us with AWS Security Hub.

In this article, we’ll talk about AWS Security Hub; what it is, what it’s capable of doing, and how you can use it with other offerings like Trusted Advisor to provide an eagle-eye view of your AWS environment.

Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.

AWS Security Hub is exactly what it sounds like: a single place where you can get a comprehensive view of the state of security in AWS. Security Hub gathers data from services, AWS accounts, and even third-party partner products. It helps you stay on top of standards and best practices.

When you first step into Security hub, you will see your security score as shown below.

Some of the different services that send their findings or data to Security Hub include:

• AWS Config
• AWS Firewall Manager
• Amazon GuardDuty
• AWS Health
• AWS IAM Access Analyzer
• Amazon Inspector
• Amazon Macie
• AWS Systems Manager Patch Manager

Keep in mind that services like AWS Firewall Manager also collect data from a number of places like AWS WAF and AWS Network Firewall, so the data sent to Security Hub will include their findings as well.

This data can be sent across AWS accounts, which takes a lot of the footwork out of tracking down what finding is from where.

Findings in Security Hub are provided by severity level. There are four severity levels: Critical, High, Medium, and Low.

These levels help you prioritize how fast you need to find solutions to the specific item. For example, if you had a KMS key that you needed to delete, it would show up as a critical finding to prevent any accidental deletion. In comparison, if an S3 bucket didn’t have a lifecycle policy configured, this would show up as low severity.

Security Hub also allows you to set workflow statuses and custom actions on some findings. This helps maintain security without the need for someone to purposefully go in and take actions (This saves time, money, and prevents errors).

Security Hub also provides Insights. These Insights cover trends in various topics from S3 to EC2, to standards or best practices not met. Insights can be used to help visualize the state of security across AWS.

I mentioned best practices, and that is where Trusted Advisor comes into the picture! 

AWS Trusted Advisor inspects your environment and makes recommendations that can help strengthen security, and improve cost optimization and performance. You can then follow these to help optimize your services and resources.

AWS Security Hub sends its findings to Trusted Advisor. This means when you are looking at recommendations, you can view findings that align with those recommendations. For example, 

let's go back to our KMS key that we needed to delete. It popped up in Security Hub as a critical finding, and we know that Security Hub sent that finding over to Trusted Advisor as AWS KMS keys should not be deleted unintentionally. 

You pop into Trusted Advisor to see if there are any actions or investigations recommended and see that familiar finding.

Because we already saw it in Security Hub, we know we are all good there. If we hadn't known about it, we could investigate who set that key for deletion in CloudTrail and figure out if deleting it will cause any issues in our environment.

While threats evolve, so too must our state of security. Maintaining security in your environment is an ongoing process, and the more tips and tricks you can use to manage it easier, the better. Utilizing services like AWS Security Hub and integrating it with offerings like Trusted Advisor can provide that leg up you need to be able to maintain a strong state of security. 

With this newfound understanding, I urge you to go forth and play with AWS Security Hub and wade around in Trusted Advisor. Get your hands dirty and find out what improvements can be made to your environment!

If you want to dive into other AWS Security topics, but you are just starting out in the arena, dive into the Introduction to AWS Security course. It will help provide you with a solid starting foundation into your cloud security journey.