- AWS CSPM Platform – Visibility
- AWS CSPM Platform – What and Why
In this post I’ll cover how we get a comprehensive view of our security posture across all our AWS accounts.
In the previous part to this series we looked at how we could measure the security configuration of our AWS Cloud environment using a vendor neutral best practise guideline, the CIS AWS Foundation Benchmark. The CIS Benchmark outlines a list of controls which are mapped to the CIS Implementation Groups. Now we have a list of controls we can automatically test and receive a pass/fail assessment, but how do we gain visibility into these results?
AWS Security Hub
AWS Security Hub is the first native service we will look at for building our CSPM platform. This service provides a comprehensive view of our security posture in AWS. It collects security data from across AWS accounts, services, and supported third-party partner products. This data helps us analyse our security trends and identify the highest priority security issues.
AWS Security Hub is a regional service which receives security data from Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Config, and AWS Partner Network Products. It aggregates all of your security findings in a single place in a consistent format.
Regional Aggregation
Although AWS Security Hub is a regional service, you can designate an aggregator Region and link some or all Regions to that aggregator Region. Linking regions will give you a centralized view of all your findings across all your linked Regions.
Region Aggregation currently supports three Region Linking Modes:
- All Regions – Security Hub aggregates data from all Regions. When you opt into a new AWS Region it automatically aggregates data into the aggregator region.
- All Regions except specified – Security Hub aggregates data from all Regions except for Regions that you want to exclude. When you opt into a new AWS Region it automatically aggregates data into the aggregator region.
- Specified Regions – Security Hub aggregates data from a selected list of Regions. Security Hub does not aggregate data automatically from new Regions.
If we use the ‘All Regions’ mode, we can assume a set and forget deployment. When you opt into a new AWS Region it automatically aggregates data into the aggregator region.
Multi-account Aggregation
Now we have Security Hub data for all our Regions being aggregated into one aggregator region, this provides us an overall view of our Security Data within our account, but we may have multiple AWS accounts as defined and recommended by the Multi-account AWS environment best practise.
Security Hub has a feature called Delegated Administration which ‘rolls up’ Security Data and provide configuration management for all managed accounts. You can manage up to 5000 AWS accounts from a delegated administrator account. We can set up the account management in one of two different operating models.
- Member Invitation – member accounts accept an invitation from an administrator account.
- AWS Organisation – Security Hub administrator account determines which organization accounts to enable as member accounts.
To be able to use the AWS Organisation option, your AWS Organisation needs to have enabled All Features. If you are using the Consolidated Billing features you will need to enable All Features.
If you choose to enable all features, you can delegate the Security Hub administrator to one of your member accounts, AWS recommends using a dedicated account to be the Delegated Administrator for all the Security Services such as GuardDuty using the AWS landing zone best practice. In this example I have configured my Audit Account as my delegated administrator account.
After I configured a delegated administrator I can enable Security Hub in all my member accounts and configure Security Hub to be Auto-enabled for all accounts including future member accounts. This again is a ‘set and forget’ deployment knowing that all future member accounts within my organisation will have Security Hub enabled by default.
References
- https://aws.amazon.com/security-hub/features/
- https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html
- https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html
- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html
