Vulnerability Related
Security Hub
- Centralize security related alerts across accounts, and provides a UI for viewing these
- The biggest limitation is it does not centralize alerts across regions, only across accounts
- Findings from:
- GuardDuty
- Config
- Inspector
- Macie
- Firewall Manager
- IAM Access Analyzer
- third party
- self-generated against CIS standards
Components
| Component |
Description |
| Security Standard |
- A list of security controls and the definition of how those should be configured
- Security Hub compares the current environment status with the expected controls the security standard establishes
- Change-triggered checks: run when a change in the monitored resource is detected (requires the resource to be supported by AWS Config)
- Scheduled checks: periodic check no later than
12h after the last execution
- As a result of the comparison, Security Hub produces a verdict of compliance for each of the controls
|
| Workflow |
- Describes a series of stages in which a finding can be positioned at any point in time
- Finding attributes:
- WorkflowStatus:
New, Notified, Suppressed, Resolved - RecordState:
Active, Archived
|
| Insights |
Filters and groupings that allow to see affected resources in groups to facilitate analysis |
Delivery
- Security Hub integrates with EventBridge at two levels
- EventBridge captures in the
default bus the findings reported by Security Hub
- Configure custom actions
- Configure a unique ID related to a custom action name, and a custom action to execute
- Security Hub will report an event to EventBridge, sending the findings or insights information in conjunction with an attribute to distinguish this event as a custom action and another attribute including the custom action's unique ID
- You can apply a custom action for up to
20 findings and up to 100 resource identifiers (from insights) at the same time
| Approach |
Description |
| Manual |
|
| Semi-Automatic |
Use predefined custom actions |
| Automatic |
- All findings from Security Hub generate CloudWatch Events
- From the Amazon CloudWatch Events console, you can create a rule using
Security Hub as the service name and setting Security Hub Findings - Imported as Event Type
|
Inspector
- Evaluates the security status of EC2, ECR, Lambda
- Automatically assesses applications for vulns or deviations from best practices
- Uses automated reasoning to analyze network access policies and alert about breaches
| Gathering Level |
Assessment Type |
Description |
| Network |
Network Assessment |
Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents) |
| OS & apps |
Host Assessment |
- Monitors file system/processes
- Via an Amazon Inspector Agent (requires linked role to enumerate EC2 instances and network config)
|
Components
| Component |
Description |
| Rule |
- Predefined security check to evaluate against an EC2
- Severity levels:
high, medium, low, informational
|
| Rule Packages |
- Collection of rules
- Examples:
- Common vulnerabilities and Exposures (CVEs)
- CIS Benchmarks (OS Security Configuration)
- Security Best Practices (OS config including remote access)
- Runtime Behavior Analysis (protocols, ports, software config)
|
| Assessment Target |
List of EC2 instances (can filter by tags) |
| Assessment Template |
- Defines which Rule Packages run on which Assessment Target
- Can be run multiple times
 |
| Assessment Run |
Contains results (findings) of each Assessment Template run |
| Finding |
- Stored as a JSON
- Each contains:
- Severity
- Date of discovery
- Description
- Recommendations
|
Delivery of Findings
| Delivery Type |
Description |
| PDF/HTML Report |
- Can be generated for each assessment run
- Inspector collects instances' telemetry data in JSON-formatted files and stores them in an Inspector-owned S3 bucket
- You cannot access these files (after a 30-day retention period they are automatically deleted)
|
| Stream |
- Define an SNS topic in the assessment template
- The topic will receive notifications when a finding is reported and when an assessment run starts, finishes, or changes its state
|
Detective

- General Info
-
- Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
- Automatically correlates user activity without the need for you to enable, store, or retain logs manually
Trusted Advisor
- Makes recommendations on cost reductions, rlieability, performance, and security
- Monitors how close you are to reaching service limits
- Need a business/enterprise subscription for all features
- Operations
- Checks resources throughout all regions
- It is enabled or disabled at the account level
- Exclusions
- Can exclude resources from all checks
- Can't suppress individual checks
Checks
| Categories |
Core Checks |
Security Checks |
- Cost Optimization
- Security
- Fault Tolerance
- Performance
- Service Limits
|
- S3 Bucket Permissions
- Security Groups - Specific Ports Unrestricted
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
- Service Limits
|
- Security group open access to specific high-risk ports
- Security group unrestricted access
- Open write and List access to S3 buckets
- MFA on root account
- Overly permissive RDS security group
- Use of cloudtrail
- Route 53 MX records have SPF records
- ELB with poor or missing HTTPS config
- ELB security groups missing or overly permissive
- CloudFront cert checks - expired, weak, misconfigured
- IAM access keys not rotated in last 90 days
- Exposed access keys on GitHub etc
- Public EBS or RDS snapshots
- Missing or weak IAM password policy
|