How I use AWS Security Hub

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to cloudynoteplus your source for exclusive videos and online events for aws professional my name is michael and today i show you how i use aws security hub to get an overview of the level of security in my aws accounts and this was a topic that quite a few um actually kind of requested in the community and also in our second ask me anything session and this time i turned it into video because i think that's quite a important topic it's also a topic where a lot of details are important so that's why we will have the first video about security hub here today and i promise that we will have further videos about the whole security topic and all the different services that we can use to make sure that we run our workloads in a secure way so let's switch to the slides um before we start and with the content i want to um give you a couple of details what we will cover so first you will get a very short introduction into security hub um and then we will look into ways how you can comply with um security standards using security hub and so that's the focus of today's video and i will also share with you the lessons learned and basically how i use security hub these days either in our own accounts or also if we visit a customer for the first time and enable security hub and turn this data into something useful for the customer i also prepared two pitfalls for you and one is about the security score i will talk about the details later so this is the magic number that maybe some of you want to optimize for and the other pitfall is about an error that pops up in security hub quite often so i see this in many different aws accounts and um it it takes some time to understand why it happens um and i will show you what's going on it's about an im check that that returns an unknown error so it's not very helpful so that's why we have a look at it all right so what is um security hub so first security hub provides a centralized and and this is important organizational wide overview of uh all your workloads so this means that you can run security hub either in kind of standalone mode it covers only a single aws account region or you can run it in an awkward mode where it aggregates all the data for your aws accounts it still needs to run in each of the regions that you use it so it doesn't kind of aggregate across regions but it it can aggregate across accounts and that is very useful so what does security have actually do um it does two things and this is kind of a little bit um maybe at the beginning it doesn't really is necessary that both of those features are available so it's a little bit misleading but one of the features is security hub runs checks so security hub itself runs checks based on security standards that are defined by aws so that's one of the features this feature relies on aws config to be active in the aws account so but security hub basically does under the covers it creates config rules for you and those config rules are defined by aws and they check the security standards that's feature number one feature number two is security hub integrates with many other aws service and also third parties and those services send security findings into security hub as well so for example just two examples there is god duty there is inspector there are other services like md im access analyzer and there are third parties and they can all send data into security hub and then you can have a look at it in a central place and and you also get nice statistics about how this is changing over time so that is in a nutshell security hub and i don't want to bore you with any more uh theory this time and we will jump right into um the aws console and i will show you how i use security hub so if you visit the aws security hub management console you are created with a screen like that and i will quickly um hide the navigation bar so you get different kinds of summaries um for example this is about the the findings from the different integrations and as you can see i have only the guard duty integration enabled or the only service that i have enabled here is guard duty so that's why i only got ut sends additional data into security hub and besides the the standard checks and what you also can see is here um the overall security score of all my aws accounts using all the security standards so that's kind of a first indication of how the account is is doing you also get like kind of group by aggregate so for example you can see which account has most um failed checks so this is basically has most security findings and all kinds of information are presented here at the at the top um kind of level and you also get some charts i have to admit i don't really use that view often so what i do instead is i go to security standards right away so this is the few that i like most usually i enable um at least the aws foundational security best practice security standards so you can enable them individually so in this case i also have enabled the sys aws foundations benchmark but i have not enabled the pci dss security standard so i think it makes sense to start with one and i would recommend starting with the aws foundation security best practices and one thing to keep in mind is that they actually overlap quite a bit so if you start fixing findings from aws um foundational security best practice you will kind of as a as a side effect also fix things that the cis adores foundations benchmark would have flagged as a problem so yeah if you turn on both at the same time that's also possible but you might be a little bit overwhelmed by the number of findings and um yeah so that's why i usually recommend to start with one i wouldn't start with the pci one because that really flex lots of things that are not really super relevant and so yeah so the one that i um usually start with is as i said for aws foundation best practices and if you click on that um you get a again now aggregated view but only for this security standard and if you enable security hub in across your aws organization then this will automatically include data from all your aws accounts so one thing to keep in mind when you enable a security hub in organization mode is that you can define a delegate admin for security hub and that's highly recommended so in your organizational main account where you kind of create the adobe's accounts where you add them to um that you assign the service control policies and where you group them in the hierarchy in this account you can define a delegated admin and in my case i created a special aws account it's my security account so this is the account where i want to control security hub in so for my organizational um root account i delegate into my security account and then my security account becomes the admin for security hub so this is where i can add accounts where i can disable checks that can enable security standards for all accounts at once so highly recommended to not do that in your root master account but to have a delegated admin account because otherwise all the security folks in your organization need access to the root aws account and that's not a good idea because this account actually has kind of basically you can have full permissions into any aws accounts in your organization so um don't do that i always use this delegated admin feature which is now kind of i think the best practice also internally for aws services to kind of follow that approach so most of the security service these days come with this feature where you can delegate the admin control to a different aws account and that's um exactly um why um or the the the reason why they do it is otherwise all the security forks need or have kind of lots of permissions by default all right so let's go um back to my screen here so i talked a little bit about security uh in org mode stuff but now let's look back at the adores foundational security best practices and security standard so what we can see here at the top is a security score and basically what aws does to calculate the score is they look at all the um checks all the enable checks and then the divide or they use based on that they look at how many of them have passed and they divide past divided by all enabled and that's kind of the security score there is one pitfall and i will talk about that at the end so when you run security hub in um organizational mode then the calculation works a little bit different um and the problem are disabled checks and we will talk about that as well in a minute so let's look into the different checks so you can quickly see um they are either in status failed and if a checkers in status fail that basically means there is a finding so i mean fail is probably not the best diverting here but failed means there is something um that does not comply with that check and this check for example is about um s3 permissions granted to other aws account in s3 bucket policies should be restricted um so for some reasons uh there's a bucket policy that grants access to another aws account and it is not restricted innovated security hub thinks is the best practice so that's one of the uh failed checks and also it has severity high keep in mind severity does not have any impact on your security score so that might be a little bit confusing but it actually doesn't matter if you fix a a medium a high or a low severity finding um doesn't influence this score in any other way all right so you can see there are a couple of failed things here then we have unknowns unknowns is something i talk about again in the pitfall section at the end so those are checks that very likely we are not able to run successfully so we don't know if it's failed or passed so that's bad shouldn't happen and it's an aws problem they should fix it and so um not our business in this case and then we have passed um checks and that's also fine so pass basically means you are comply in comply you comply with that rule so that's how to say it all right so what you can do is um let's select just one of the um one of the checks and you immediately get again now a drill down into this specific um check so what you can see is we have one failed um check of one finding basically and you also see the resource so that's the name of their three bucket that does not comply with that rule so the question is how can we actually comply with that rule and the important part here is usually the remediation instructions and that's a link it every check has has has this link it points to the aws documentation so that's the one that that we see and it it basically tells us what we should do to fix that and so if you if you just follow the steps you usually have a good idea of how you can solve the problem so that's very nice so they don't and they not only flag what's wrong they also tell us how to fix it so that's very useful um at least from my perspective and i i use that documentation a lot when fixing those errors um all right the other option that we have is this disable button there are checks um that are not relevant in your scenario so a couple of checks that i disabled is for example there is one requirement that the root account should have a hardware mfa token if you manage your accounts with aws organizations then it is not really possible to fulfill that requirement so that's why i usually just disable that check completely and then if you disable it you can kind of enter a reason why i disable it and that's kind of the documentation for people that look after this later kind of understand why the whole check was disabled so that's one way to kind of um make sure that security hub or kind of white list something in security hub so you can disable the whole um check another thing that you can do is for each individual finding you also have ways to kind of work with the finding by using the workflow status by default the workflow status is new as you can see in my case it is notified notified means that okay someone is working on it so someone was um notified that they should fix that so if you work in a large organization chances that you can fix this are low so you have to reach out to some other team and ask them okay hey please fix this as free bucket policy off the bucket and this and that and then they can work on that so that's i think what the workload status notified is about you also have the option to suppress a finding so breast basically means is this again kind of a white listing so this is kind of ignore that problem um it's not we cannot fix it we um for some reasons it has to be the way it is so for example there is one check that checks if an s3 bucket is public and there might be one one bucket in your whole organization that has to be public because there are files stored in that bucket that are downloaded by your customers so the bucket has to be public so then you could either disable the check and then you would kind of get rid of uh or kind of lose the whole functionality so other s3 buckets might be public and you would not notice it or you just suppress for this single bucket where you know it should be public and then you are still fine again so that's what suppressing is about and then last but not least we have resolved and resolved means you kind of fix the problem and and then this is um kind of marked as done if there is a finding and you just change the configuration if you wait long enough uh security hub will pick that change up as well and kind of close the finding as well for you so resolving is not necessarily needed i mean it's just for kind of humors to kind of make sure that we don't work on something twice um but after some time and this can really be 12 hours in security hub it will be also closed um by the next run that checks all the config items all right so that's i think um most of the important parts of working with with checks and findings and um yeah i can show you the ones that i disabled quickly and so one of them i already mentioned so the hardware mfa thing so i disable that and the other one that i disabled is about the default security groups and also like default vpc so for some reason aws deploys default vpcs and default security groups and for some reasons they do not comply with their own rules so that's why they flag all of their own stuff as insecure which is kind of weird because i mean why they just um deployed in a way that it is compliant by default but that's not how it works no they deployed in a at to their own terms in secure way and then they ask us to make it secure um yeah i'm not sure uh i don't like all this default stuff um so um there is one problem with just deleting the default vpc and if you use cloud formation the the partition the get availability zone function depends on your um the default subnets and so to calculate the available availability zones uh so that's why it's not a good idea to just delete the whole thing um but in my case i just ignore it but um i know lots of customers who go and patch it the problem is with cloudformation you cannot change the default stuff because this was not created by cloudformation terraform allows us to do that so there are resources and special especially to to modify the default vpc and default subnets and so you can do that with terraform so that was a good good news at least in one of the last projects where we use terraform to deploy everything so we could do that in an automated way which is good um but yeah it's a little bit annoying and also in the aws documentation you will find a section about checks that you might want to disable and i mean i'm i don't know but what what what's the reason for having checks in in the security center that you might want to disable i don't know um so it is of course opinionated and many of the checks um are i would say questionable and i question them if i don't think that they make any sense so i can show you a couple of examples so for example there is this kind of um very strong requirement to enable server-side encryption everywhere which is i think fine but um i don't know for example sns topic should be encrypted at rest i don't know um i mean data is not really stored there for a long time so i'm not sure if that's the most important part then if you for example use github or gitlab or like something that does not run inside aws to deploy your stuff you will have im users and those imuses will have credentials and um you will have to rotate them every 90 days according to security hub so that's also a rule that that might be easy or not so easy to follow um and all kinds of other checks um that that that are here um i don't know if i can see something here uh amazon ec2 should be configured to use vpc and port for example it's also one of the checks that i usually just disable um they also kind of require you to to enable all kinds of features and for example they also ask you to enable god duty for example and i mean yeah they release a new service then they add an item in security hub that checks that you enable the service which you pay for and that's kind of an amazing money machine but i mean if you don't want to use guard ut then then just ignore that uh or disable that check and because it doesn't make sense for any workloads right okay so um last question before we talk about the pitfalls and what are actually the costs um and the thing is that all the security services are not free of charge and some of them can get very expensive and for most of them it's not super easy to understand the implications of enabling them upfront um so security hub i think solves that quite um good if you go to the settings and then there is a usage tab you will get an estimation of how much you will likely pay for a security hub and keep in mind the third the first 30 days are free so that's a free trial for security hub so if you enable it and basically after day 25 or so i would recommend to check out the usage um tab here to check the estimation estimated costs and make sure that that kind of makes sense for you in this case it i think it makes sense um but um yeah it it can get expensive so make sure that you check um this up front and to avoid any surprises all right so that's how i use security hub um i think that's that's all i have to say um so i like the service and i recommend that you enable it because i think it's one of the services where the the price um actually is kind of or is in in in stays in a good relationship between the value you get out of the service so it is actually actionable so the findings are actionable you get an understanding what you have to do and most of them also make sense so i recommend using it and if you haven't looked at security hub i definitely recommend that you check it out and as i mentioned if the first 30 days are free so there's not much to lose so that's a big um or like a big advantage of security hub all right so that is how i use it um let's talk about the pitfalls the first is about the security score when you use security hub in this organizational mode so the default calculation works like this so we have all the enabled checks we know how many of them failed so this is the one where we have findings then we have unknowns okay this is where we have errors we have some of the checks that have no data so for example if you have no s3 bucket then your s3 check will have no data because it cannot check nes rebucket we have to pass um the past checks and we have to disable ones so the natural way to calculate the security score is easy number of past divided by all the enabled checks that's the percentage in your security score so as i mentioned the uh severity does have zero impact on that score so you don't necessarily have to fix the high ones first so if you are lazy what you do is you fix the ones with the like each check has a different a number of findings so for example there could be a check that has 200 findings and if you fix one of the findings it has zero impact on your security score there might be another check where there's only a single finding if you fix that single finding boom your security score goes up so um yeah for the lazy um the lazy humans out there including myself and start i mean you could start using on the high ones but you could also just sort um by findings and then start with the one with the lowest findings and work in that order so you will have a very steep curve at the beginning and then it gets very slow at the end so in terms of effort so that's one thing to keep in mind okay so now we understand how the security score is calculated if you do that calculation for those numbers so 57 divided by 71 we get 80 as you can see that number doesn't match with what you see on the screen so something is wrong here um if you would do that calculation um in security hub if you are not using organization mode but if you run it just in a single account this number would match with what you see on the screen so if you are in security mode sorry if you're in organizational mode we have to calculate a little bit different so we took we take all the enable checks we look at the past ones and we divided by the enabled ones but we also have to add the disabled ones if they have findings so that is super confusing only if they have findings they are taking into account in this calculation if you do them off again then we get exactly at 78 so how can you fix that so i was working with a customer and we closed findings we closed and we made sure checks passed and the security score was not really moving we disabled lots of checks security score was not moving and you have to understand two things first it can take some time until the security score updates so first it takes some time until the check actually reruns and takes into account your changes and then it can take uh again up to i think in the documentation it's mentioned it can take up to 24 hours until the aggregation in the org mode is current so that's something to keep in mind and then the other thing is that if you disable a check it will still count into your security score and it will kind of lower it and so if you want to kind of make sure that the security score kind of reflects the reality you have to uh suppress all the findings for the disabled security check only then your security score will be accurate and so this is a little bit confusing i was confused and at least when i first um read about that behavior in the documentation i think it's a bug i mean they they made it a feature now but um i don't think that it makes a lot of sense so um i hope that will change in the future but until now we have to kind of manually suppress all the findings of a disabled check all right second pitfall and this is actually also something i was running into when i um looked at this in my own adwords account we saw that earlier also when i worked in customer accounts and then i was kind of remembering okay i saw that error before in my own account and then i compared a couple of aws organization setups and i saw that error in all of them so i did some research and it turns out that in the aws security foundation's best practice security standard there are the im checks and quite a few of them can error with um the config rule evaluation error internal error error so which is as you as you might uh guess not very helpful to understand what the root cause is and they will show up in the overview as an unknown status so unknown basically means yeah as i said eight dollars is not able to kind of get to a decision if it's if passed or failed um and then i look for that error and in the aws forums i see a post from december 2020 where aws kind of um says that yeah that's and that's a problem we know it it is because of im rate limits so we check too often and that's why we run into rate limits and when we run into rate limits we don't retry uh we just throw an internal error and then the check is kind of an unknown state and since december 2020 this hasn't changed i mean you saw it on my screen um a couple of minutes before and now it's april 2021 so um yeah in the blog po in the forum post they mentioned that they work on this with high priority not so sure about the priority here but um yeah i think we can hope that this will be fixed at least at some point in time because we can't do anything about it so it's an aws rule so we cannot change it that's it and those are the two pitfalls that i think you have to uh keep in mind when working with um security hub i hope you liked this kind of introduction into security hub and as i promised we will have probably more videos about security features on aws and you can reach out to us and the community about this topic and other any other related aws topic at community.cloudon.org and this is also the perfect place to kind of give us feedback what security service you are interested in afterwards so should we talk about god duty first should we talk about inspector first should we talk about im access analyzer first or something completely different let us know um we we take your feedback into account when kind of planning for the next videos so that is much appreciated and it really helps us to create good videos for you thanks for watching and don't forget to rate this video if you learned something new today your feedback helps us to produce relevant videos as i already mentioned you can reach out to us via email via twitter and the details are in the video description or you can also find them in the community so we are back in one week thanks for your support bye
Info
Channel: cloudonaut
Views: 210
Rating: undefined out of 5
Keywords: aws, amazon web service, cloudonaut, cloud, cloudcomputing, cloud computing, aws training, aws cloud, aws tutorial, aws tutorial for beginners, amazon aws tutorial, aws security hub, how to use aws security hub, security hub aws, how to use security hub, using security hub, using aws security hub, aws security hub demo, aws security hub tutorial, aws security hub deep dive, security, hub, how i use aws security hub, security hub aws demo
Id: BNH7b3YBmWM
Channel Id: undefined
Length: 27min 11sec (1631 seconds)
Published: Sun Dec 05 2021
Related Videos
All you need to know about encrypting AWS S3 buckets
cloudonaut
592
AWS CloudFormation Modules - A New Way to Reuse Templates?
cloudonaut
333
Unboxing AWS S3 Object Lambda
cloudonaut
64
AWS Cognito Under the Hood
cloudonaut
364
A Deep Dive into AWS CloudTrail
cloudonaut
435
How to Learn Faster with the Feynman Technique (Example Included)
Thomas Frank
5.5M
AWS - VPC Debugging
cloudonaut
278
DNSSEC with AWS Route 53: Protecting the core of the Internet
cloudonaut
425
How to Trace an HTTP Request in Your AWS Infrastructure
cloudonaut
444
Running containers on spot infrastructure in AWS
cloudonaut
145
AWS Client VPN: Connected with the Cloud
cloudonaut
775
Defining IAM Policies with Terraform in AWS
cloudonaut
1.1K
How to Configure AWS SSO With SAML
cloudonaut
1K
Kinesis versus MSK
cloudonaut
256
Terraform to create IAM user and password | How to login to AWS Console by user Created by Terraform
Terraforming
732
AWS Next Generation Load Balancing: ALB with gRPC and HTTP/2
cloudonaut
489
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.