AWS Security Hub integrations

Updated: Aug 30

Security is essential for every organization, that’s why Automat-IT pays great attention to it during project delivery and well-architected review. AWS has several really impressive security related services that help us build a safe infrastructure and continuously monitor compliance. In the previous post we demonstrated how to enable AWS Security Hub for a multi-account AWS environment. We suggest our customers enable AWS Security Hub along with given integrations, like GuardDuty, Inspector, Macie, Detective, IAM Access Analyzer, Audit Manager and Chatbot, which will be described in this post.

Amazon GuardDuty integration

Automat-IT enables Amazon GuardDuty by default in every project since the service was released. We described how we deploy this thread detection system in a multi-account AWS environment in the previous post. Here we will look at GuardDuty integration into AWS Security Hub.

Once you enable Amazon GuardDuty and AWS Security Hub, findings are automatically delivered to the Security Hub console.

Amazon GuardDuty findings from all accounts within AWS Organizations are displayed in the AWS Security Hub console in the central Audic account.

Amazon Macie integration

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).

Amazon Macie allows the centralized account as we have in GuardDuty. Audit account is central for Amazon Macie and member accounts are invited to join.

Summary shows overall status for S3 service including public access and encryption configuration.

Moreover Amazon Macie allows to run Scheduled or One-time jobs and scan objects for sensitive data in selected buckets.

In the following example the scanning job has found several issued, including personal data and credentials in txt files and zip archives:

When we downloaded the mentioned zip archive with a finding “Credentials”, we saw a private key inside.

Once you enable Amazon Macie and AWS Security Hub, findings are automatically delivered to the Security Hub console.

Amazon Macie findings from all accounts within AWS Organizations are displayed in the AWS Security Hub console in the central Audic account.

You can quickly get started with Macie leveraging the 30-day free trial. By enabling the service, only the S3 bucket inventory and bucket-level evaluation charges apply and those come at no-cost for the first 30 days. After the first 30 days, the bucket evaluation will cost $0.10 per S3 bucket. First 1 GB / month of data processing is free, next 50,000 GB / month - $1.00 per GB.

IAM Access Analyzer integration

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. An external entity can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, an anonymous user, or other entity that you can use to create a filter.

Despite having IAM in the name, IAM Access Analyzer is a regional service. It analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.

By default the AWS organization master account is administrator for IAM Access Analyzer in a multi-account environment, but you can delegate an administration (it’s again will be the Audit account).

We can create an analyzer for the current AWS account or for the whole AWS organization, as in the following example:

If some findings are not relevant, you can configure an archive rule with different conditions that will automatically archive findings, for example we have the finding above that shows that an external principal Cloudfront (with an origin access identity) accesses S3 bucket. We know that it is intended access and expected for us, so we don’t need such notification.

Once you enable IAM Access Analyser and AWS Security Hub, findings are automatically delivered to the Security Hub console.

IAM Access Analyzer policy validation is available at no additional cost in all commercial AWS Regions, AWS China regions, and AWS GovCloud (US).

Amazon Detective integration

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.

As other above mentioned AWS security services, Amazon Detective can be configured in a centralized manner. The “Audit” AWS account is an administrator that invites other accounts.

In the Amazon Detective summary we have three tabs. The first on is “Roles and users with the most API call volume in the past 24 hours”

If you click to any principal, you will see details including success/fail rate, observer IP addresses, API method by service and called resources. This is useful for incident investigation and threat hunting.

The second summary tab is “EC2 instances with the most traffic volume in the past 24 hours”. Here you can check if some spike in traffic from an instance is expected.

If you click to some EC2 instance, you will see details about incoming/outgoing traffic, IP addresses, ports, protocols, etc.

The third summary tab is “Newly observed geolocations in the past 24 hours”

Amazon Detective also provides a search capabilities, which you can use in the investigation process:

Amazon Detective is priced based on the volume of data ingested from AWS CloudTrail, VPC Flow Logs, and Amazon GuardDuty findings. You are charged Per Gigabyte (GB) ingested per account/region/month. There is no additional charge to enable these log sources for analysis or for data stored in Amazon Detective.

You can try Amazon Detective at no additional charge with a 30-day free trial. The free trial enables you to get the full Detective feature set over the 30-day period. After the free trial it will cost $2.00 per GB for the first 1,000 GB/account/region/month.

Amazon Inspector integration

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. It allows us to discover vulnerabilities quickly, prioritize patch remediation, meet compliance requirements and identify zero-day vulnerabilities sooner.

EC2 requires the Inspector agent for performing scans, ECR repos don’t need any additional configuration for scanning.