AWS Security Hub Central Configuration - An Easy way to monitor your Organization security posture

Transcript

1. An Easy way to monitor your Organization security posture AWS

   Security Hub Central Configuration Richard Fan AWS Security Hero
2. None

3. What is AWS Security Hub? • Cloud Security Posture Management

   (CSPM) service • Identify security misconfigurations • Central dashboard of security findings, compliance state

4. Integrations • Other AWS services • Amazon Inspector • Amazon

   GuardDuty • 3rd party products • Snyk • Tenable • Splunk • Custom integration

5. Built-in standards • Backed by AWS Config • Supported standards

   • AWS Foundational Security Best Practices • CIS AWS Foundations Benchmark • NIST SP 800-53 • PCI DSS

6. AWS Security Hub

7. None

8. Multi-account challenges • Which account has security issues? • Auto

   deploy to new accounts • Customized policies for different accounts • Keep policies in-sync for all accounts

9. Findings aggregation • Integrated with AWS Organization • Delegated admin

   account can see findings from all accounts

10. Findings aggregation

11. New feature: Central Configuration • Integrated with AWS Organization •

    Create policies for member accounts • Enable/Disable AWS Security Hub • Enable/Disable Security standards • Enable/Disable Security controls • Custom control parameters • Different policies for different accounts

12. Configuration Policy

13. Configuration Policy

14. New feature: Custom control parameters • Customize parameters on some

    security controls • Fine-tune for organization security policies • E.g. • [IAM.7] – Password policies for IAM users should have strong configurations Minimum Password Length: 8 - 128 characters
15. None

16. AWS Config is not auto-enabled • Built-in security controls requires

    AWS Config • Central Configuration doesn’t enable AWS Config • Need to enable for all accounts first • AWS CloudFormation StackSet • Terraform …

17. Enable AWS Config

18. Enable AWS Config – CloudFormation StackSet

19. Cost saving on AWS Config • AWS Config records all

    supported resource types • Not all resource types are monitored by AWS Security Hub • AWS Config support continuous/daily recording • Use daily recording if full resource history is not required

20. AWS Config Cost saving

21. AWS Config Cost saving

22. AWS Security Hub Workshop AWS CloudFormation for optimizing AWS Config

    for AWS Security Hub AWS blog - Introducing new central configuration capabilities in AWS Security Hub richardfan1126
23. None