Skip to content

AWS Security Hub Monitoring¤

Objective¤

The objective of this pattern is to demonstrate how to enable AWS Security Hub and default security standards in your AWS account, verify that it is enabled, and get findings from AWS Security Hub.

The pattern will enable AWS Security Hub in the CDK_DEFAULT_ACCOUNT and CDK_DEFAULT_REGION.

Prerequisites¤

  1. Follow the usage instructions to install the dependencies and perform the repository setup.
  2. argo-admin-password secret must be defined in Secrets Manager in the same region as the EKS cluster.
  3. Complete the steps to enable AWS Config and deploy the Security Best Practices for Amazon EKS AWS Config managed rules.

Optional (but recommended): If you have not done so already, follow the steps to deploy the Amazon GuardDuty stack and blueprint. Since Amazon GuardDuty automatically sends its findings to AWS Security Hub, the sample EKS finding will appear in AWS Security Hub about five minutes after it has been enabled in the same region.

Deploy¤

To bootstrap the CDK toolkit and list all stacks in the app, run the following commands:

cdk bootstrap
make list

Deploy AWS Security Hub¤

To enable AWS Security Hub in the account and region deploy the stack, run the following command.

make pattern securityhub deploy securityhub-setup

Once deployed, AWS Security Hub will automatically enable all controls that are part of the default security standards. Currently, the default security standards that are automatically enabled are AWS Foundational Security Best Practices and the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0.

Verify¤

Verify that AWS Security Hub is enabled¤

Now you can check that AWS Security Hub is successfully enabled by using the AWS CLI to query the same account and region.

Using the AWS CLI run following command in the same account and region where you deployed the stack.

aws securityhub describe-hub

If you successfully enabled AWS Security Hub, you will see the following.

{
    "HubArn": "arn:aws:securityhub:us-east-1:XXXXXXXXXXXX:hub/default",
    "SubscribedAt": "2021-08-18T00:52:40.624Z",
    "AutoEnableControls": true,
    "ControlFindingGenerator": "SECURITY_CONTROL"
}

View findings in AWS Security Hub¤

Use the following AWS CLI commands to view your findings in AWS Security Hub.

To list critical findings and findings related to controls that have a failed status according to the enabled AWS Security Hub security standards in the same account and region, run the following command:

aws securityhub get-findings --filter 'SeverityLabel={Value=CRITICAL,Comparison=EQUALS},ComplianceStatus={Value=FAILED,Comparison=EQUALS}'

Below is an example of an IAM finding that relates to a failed IAM control that AWS Security Hub found related to the enabled security standards, and will likely be present in your list of findings if you or your organization are not using a hardware MFA device for your AWS root account:

{
    "Findings": [
        {
            "SchemaVersion": "2018-10-08",
            "Id": "arn:aws:securityhub:us-east-1:XXXXXXXXXXX:security-control/IAM.6/finding/494ffa38-0b6e-46d1-98f4-e605ec09d045",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
            "ProductName": "Security Hub",
            "CompanyName": "AWS",
            "Region": "us-east-1",
            "GeneratorId": "security-control/IAM.6",
            "AwsAccountId": "XXXXXXXXXXX",
            "Types": [
                "Software and Configuration Checks/Industry and Regulatory Standards"
            ],
            "FirstObservedAt": "2023-03-04T00:54:44.307Z",
            "LastObservedAt": "2023-05-31T01:20:18.210Z",
            "CreatedAt": "2023-03-04T00:54:44.307Z",
            "UpdatedAt": "2023-05-31T01:20:05.845Z",
            "Severity": {
                "Label": "CRITICAL",
                "Normalized": 90,
                "Original": "CRITICAL"
            },
            "Title": "Hardware MFA should be enabled for the root user",
            "Description": "This AWS control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials.",
            "Remediation": {
                "Recommendation": {
                    "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                    "Url": "https://docs.aws.amazon.com/console/securityhub/IAM.6/remediation"
                }
            },
            "ProductFields": {
                "RelatedAWSResources:0/name": "securityhub-root-account-hardware-mfa-enabled-24e3b344",
                "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
                "aws/securityhub/ProductName": "Security Hub",
                "aws/securityhub/CompanyName": "AWS",
                "Resources:0/Id": "arn:aws:iam::XXXXXXXXXXX:root",
                "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:XXXXXXXXXXX:security-control/IAM.6/finding/494ffa38-0b6e-46d1-98f4-e605ec09d045"
            },
            "Resources": [
                {
                    "Type": "AwsAccount",
                    "Id": "AWS::::Account:XXXXXXXXXXX",
                    "Partition": "aws",
                    "Region": "us-east-1"
                }
            ],
            "Compliance": {
                "Status": "FAILED",
                "RelatedRequirements": [
                    "CIS AWS Foundations Benchmark v1.2.0/1.14",
                    "CIS AWS Foundations Benchmark v1.4.0/1.6",
                    "NIST.800-53.r5 AC-2(1)",
                    "NIST.800-53.r5 AC-3(15)",
                    "NIST.800-53.r5 IA-2(1)",
                    "NIST.800-53.r5 IA-2(2)",
                    "NIST.800-53.r5 IA-2(6)",
                    "NIST.800-53.r5 IA-2(8)",
                    "PCI DSS v3.2.1/8.3.1"
                ],
                "SecurityControlId": "IAM.6",
                "AssociatedStandards": [
                    {
                        "StandardsId": "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
                    },
                    {
                        "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
                    },
                    {
                        "StandardsId": "standards/cis-aws-foundations-benchmark/v/1.4.0"
                    },
                    {
                        "StandardsId": "standards/nist-800-53/v/5.0.0"
                    },
                    {
                        "StandardsId": "standards/pci-dss/v/3.2.1"
                    }
                ]
            },
            "WorkflowState": "NEW",
            "Workflow": {
                "Status": "NEW"
            },
            "RecordState": "ACTIVE",
            "FindingProviderFields": {
                "Severity": {
                    "Label": "CRITICAL",
                    "Original": "CRITICAL"
                },
                "Types": [
                    "Software and Configuration Checks/Industry and Regulatory Standards"
                ]
            }
        }
    ]
}

To search for findings related to the Security Best Practices for Amazon EKS Config managed rules, run the following AWS CLI command:

aws securityhub get-findings --filters 'GeneratorId={Value="security-control/EKS.1", Comparison="EQUALS"}'

You might see a finding such as the following:

{
    "Findings": [
        {
            "SchemaVersion": "2018-10-08",
            "Id": "arn:aws:securityhub:us-east-1:XXXXXXXXXXX:security-control/EKS.1/finding/931a06d9-1b1d-431b-8b91-1ff86829b400",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/securityhub",
            "ProductName": "Security Hub",
            "CompanyName": "AWS",
            "Region": "us-east-1",
            "GeneratorId": "security-control/EKS.1",
            "AwsAccountId": "XXXXXXXXXXX",
            "Types": [
                "Software and Configuration Checks/Industry and Regulatory Standards"
            ],
            "FirstObservedAt": "2023-05-09T10:34:36.736Z",
            "LastObservedAt": "2023-05-30T10:27:41.205Z",
            "CreatedAt": "2023-05-09T10:34:36.736Z",
            "UpdatedAt": "2023-05-30T10:27:34.574Z",
            "Severity": {
                "Label": "HIGH",
                "Normalized": 70,
                "Original": "HIGH"
            },
            "Title": "EKS cluster endpoints should not be publicly accessible",
            "Description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.",
            "Remediation": {
                "Recommendation": {
                    "Text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.",
                    "Url": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation"
                }
            },
            "ProductFields": {
                "RelatedAWSResources:0/name": "securityhub-eks-endpoint-no-public-access-f5aecad6",
                "RelatedAWSResources:0/type": "AWS::Config::ConfigRule",
                "aws/securityhub/ProductName": "Security Hub",
                "aws/securityhub/CompanyName": "AWS",
                "aws/securityhub/annotation": "Cluster Endpoint of starter-blueprint is Publicly accessible",
                "Resources:0/Id": "arn:aws:eks:us-east-1:XXXXXXXXXXX:cluster/starter-blueprint",
                "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:XXXXXXXXXXX:security-control/EKS.1/finding/931a06d9-1b1d-431b-8b91-1ff86829b400"
            },
            "Resources": [
                {
                    "Type": "AwsEksCluster",
                    "Id": "arn:aws:eks:us-east-1:XXXXXXXXXXX:cluster/starter-blueprint",
                    "Partition": "aws",
                    "Region": "us-east-1"
                }
            ],
            "Compliance": {
                "Status": "FAILED",
                "RelatedRequirements": [
                    "NIST.800-53.r5 AC-21",
                    "NIST.800-53.r5 AC-3",
                    "NIST.800-53.r5 AC-3(7)",
                    "NIST.800-53.r5 AC-4",
                    "NIST.800-53.r5 AC-4(21)",
                    "NIST.800-53.r5 AC-6",
                    "NIST.800-53.r5 SC-7",
                    "NIST.800-53.r5 SC-7(11)",
                    "NIST.800-53.r5 SC-7(16)",
                    "NIST.800-53.r5 SC-7(20)",
                    "NIST.800-53.r5 SC-7(21)",
                    "NIST.800-53.r5 SC-7(3)",
                    "NIST.800-53.r5 SC-7(4)",
                    "NIST.800-53.r5 SC-7(9)"
                ],
                "SecurityControlId": "EKS.1",
                "AssociatedStandards": [
                    {
                        "StandardsId": "standards/aws-foundational-security-best-practices/v/1.0.0"
                    },
                    {
                        "StandardsId": "standards/nist-800-53/v/5.0.0"
                    }
                ]
            },
            "WorkflowState": "NEW",
            "Workflow": {
                "Status": "NEW"
            },
            "RecordState": "ACTIVE",
            "FindingProviderFields": {
                "Severity": {
                    "Label": "HIGH",
                    "Original": "HIGH"
                },
                "Types": [
                    "Software and Configuration Checks/Industry and Regulatory Standards"
                ]
            }
        }

    ]
}

To see any findings generated by Amazon GuardDuty in AWS Security Hub, run the following command:

aws securityhub get-findings --filters 'ProductName={Value="GuardDuty",Comparison="EQUALS"}'
{
    "Findings": [
        {
            "SchemaVersion": "2018-10-08",
            "Id": "arn:aws:guardduty:us-east-1:XXXXXXXXXXX:detector/68b6db88cfef1e59333ecbccd8e816b5/finding/0ec437473c147f649d1437f94d615224",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/guardduty",
            "ProductName": "GuardDuty",
            "CompanyName": "Amazon",
            "Region": "us-east-1",
            "GeneratorId": "arn:aws:guardduty:us-east-1:XXXXXXXXXXX:detector/68b6db88cfef1e59333ecbccd8e816b5",
            "AwsAccountId": "XXXXXXXXXXX",
            "Types": [
                "TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer"
            ],
            ...
            "Severity": {
                "Product": 5,
                "Label": "MEDIUM",
                "Normalized": 50
            },
            "Title": "Privileged container with root level access launched on the EKS Cluster.",
            "Description": "A privileged container with root level access was launched on EKS Cluster guardduty-blueprint. If this behavior is not expected, it may indicate that your credentials are compromised.",
            "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=0ec437473c147f649d1437f94d615224",
            "ProductFields": {
                ...
            },
            "Resources": [
                { ... }
            ],
            "WorkflowState": "NEW",
            "Workflow": {
                "Status": "NEW"
            },
            "RecordState": "ACTIVE",
            "FindingProviderFields": {
                "Severity": {
                    "Label": "MEDIUM"
                },
                "Types": [
                    "TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer"
                ]
            },
            "Sample": false
        }
    ]
}

If you deployed the Amazon GuardDuty Protection EKS Blueprints pattern to the same account and region where you enabled AWS Security Hub, you should see Amazon GuardDuty findings like the one above. The sample workload deployed with the Amazon GuardDuty pattern which contains a privileged container is detected by Amazon GuardDuty and generates the Kubernetes-PrivilegedContainer finding. Amazon GuardDuty automatically sent this finding to AWS Security Hub where it can be viewed and triaged.