Overview
If you’re building an AWS Organization, or getting ready to deploy a new organization using AWS Control Tower, be advised that there are very helpful AWS services that can be integrated into your organization. In this “Be sure to integrate…” series, we’ll look at 3 baseline services that should be enabled and integrated into your AWS Organization….AWS Security Hub, AWS GuardDuty, and AWS IAM Access Analyzer.
We’ll start the series with AWS Security Hub.
AWS Security Hub
Simply put, Security Hub is an AWS service that consolidates, organizes and prioritizes security alerts. Security Hub:
- can integrate with other AWS services such as GuardDuty, Inspector and Macie
- can integrate with third-party products from AWS Partners like F5, Palo Alto, Trend Micro, Splunk, and Sumologic to name a few from an ever-growing list.
- can be used to check your environment against security industry standards by enabling the CIS AWS Foundations Benchmark checks and standard best practices by enabling the AWS Foundational Security Best Practices checks
- can be integrated with AWS Organizations to simplify security management across all existing AND future AWS accounts.
Security Hub can be likened to a “single pane of glass” from which a comprehensive view of the security and compliance posture of an entire organization can be seen. Enabling (and disabling) AWS Security Hub can be easily done through the AWS Management Console or the AWS CLI/API.
An important point to keep in mind is Security Hub is a regional resource, thus Security Hub will need to be enabled in each region in which you have AWS infrastructure/systems deployed.
Integrating Security Hub with AWS Organizations
With the ability to integrate with AWS Organizations, you can automatically enable Security Hub and its security checks in any existing and newly created accounts in the organization. By means of a Delegated Administrator account, you can also centrally view the security findings across an entire organization (up to 5,000 AWS accounts).
- To get started, identify the AWS Account that will serve as the Delegated Administrator and notate its account ID. In this example case, the account ID will be 234598760742 which I just made up….if that’s your account number, I apologize.
2. Login to the Master Account and launch the Security Hub dashboard. Assuming Security Hub has never been enabled on this account, click Go to Security Hub.
3. Scroll down to Delegated Administrator section, enter the appropriate Delegated administrator account ID, and click Delegate.
4. Now that we’ve specified the delegated administrator, login to that AWS Account, and launch the Security Hub service dashboard.
5. When you launch Security Hub, you will likely see a blue information message box prompting you to enable Security Hub for your organization. Click Settings.
6. On the Settings page, you’ll see 2 prompts. The first is a reminder to first enable AWS Config prior to auto-enabling security hub. Since this AWS Organization was setup using Control Tower, AWS Config is enabled. If you wish to verify this to be the case, use the AWS CLI command aws configservice describe-configuration-recorder-status.
If you need to enable AWS Config, click Download to retrieve the CloudFormation template and then deploy it as a StackSet from your Management account OR an AWS account that has been configured as a CloudFormation delegated administrator. If AWS Config is enabled in your organization, click the X to the right of the Download button to remove the reminder.
To auto-enable Security Hub for new accounts (in the specific region you are connected to), click Enable. Notice that Auto-enable if currently OFF.
7. When prompted to enable Security Hub for all member accounts in the current region and to set auto-enable for future AWS Organization accounts, click Enable.
8. As shown below, Security Hub is now enabled for the Organizations member accounts and Auto-enable is also ON.
9. It may take a few minutes, but if you login to a member account and launch the Security Hub dashboard, you should see a message indicating that the account is being managed by the delegated administrator account.
10. The delegated administrator account will begin using data from the member accounts to build the overall security posture view as shown below. Seems even though Control Tower was used to deploy the Organization, there is work yet to do…if you want a quick win to increase the overall security score, start by creating a hardened IAM Password Policy and enable the log metric filters to address the 3.1-3.14 checks of the CIS AWS Foundation Benchmark.
11. Repeat steps #1-11 to integrate Security Hub in any other regions hosting AWS resources
Want to use the CLI?
Would you rather use the AWS CLI? If yes, I certainly can’t blame you but when creating posts my default position is to show steps using the Admin console assuming that not everyone is comfortable in the CLI. In the case of enabling Security Hub for an organization, you may find the CLI easier and faster. In detailing the commands, let me list the following assumptions:
- The Security Account ID is 234598760742
- The Prod Account ID is 012376543456
- The .aws\credentials file includes 2 profiles/credentials
- Management = for master/payer | Management Account
- Security = for Security Account
- Enabling Security Hub in us-east-1
To specify the delegated administrator account:
aws securityhub enable-organization-admin-account –admin-account-id 234598760742 –region us-east-1 –profile Management
To enable Security Hub and set auto-enable to ON:
aws securityhub update-organization-configuration –auto-enable –region us-east-1 –profile Security
To enable Security Hub for the Prod account:
aws securityhub create-members –account-details AccountId=012376543456 –region us-east-1 –profile Security
Final Thoughts….
Security Hub is an AWS service that consolidates, organizes and prioritizes security alerts. With its ability to integrate with other native AWS services, third-party security products, and now AWS Organizations, Security Hub provides you with a single pane of glass from which to view the security and compliance posture of your entire organization. Though this integration is easy to setup, it an important component to enable a solid security foundation for your AWS Organization.
