Evaluate Cloud Security Posture - AWS Security Hub

Cloud Security Posture Manager

While you could read the CIS AWS Foundations and other recommendations and manually verify if you’re aligned to best practices, that would be an enormous effort. Automated Security Posture evaluations are strongly recommended and there are multiple Cloud Security Posture Managers that can provide that.

AWS Security Hub provides that capability as well, with the feature called Security Standards.

As this detective control (aligned to NIST Identify phase) is crucial that you act on critical/high severity findings. Assign someone on the security team to analyze the most critical non-compliances and remediate them.

This QuickWin around AWS Security Hub are the security standards, enabling the service with the security standards will identify your gaps with the best practices, and will provide you the remediation instructions. It only costs $0.001 per check, it can be enabled in a few clicks and it has a 30 days free trial that shows the usage that would incur if no trial existed, so you can estimate the cost of the next month.

Additional alternatives for performing configuration assessments on AWS

If you want to perform individual (point-in-time) checks instead of continuous compliance with a managed service such as the AWS Security Hub. You can use the Self-Service Security Assessment Tool that integrates controls from Open Source tools such as Prowler , and Scout Suite .

You can also use Cloud Custodian , an open source tool with multi-vendor support, to send findings natively to the AWS Security Hub.

There are third-party tools for continuous compliance checks such as Prowler Pro , Palo Alto Prisma , Trend Micro Cloud Compliance , Checkpoint Dome9 , and CloudCheckr that can also accomplish similar end result, frequently used in multi-cloud environments.

AWS Trusted Advisor

You can complement the security posture view with the Free Service AWS Trusted Advisor , to identify misconfigurations and critical security alerts on your account.

Customers with Business or Enterprise Support have access to the full set of checks from AWS Trusted Advisor

AWS Security Hub Mindmap

https://www.xmind.net/m/9MwPms

Workshops

Risk Mitigation

  • Misconfigurations are the source of multiple threats, AWS Security Hub can quickly identify which resources are not aligned to best practices and offer instructions for remediation.

Guidance for assessments

  • Is AWS Security Hub enabled in all accounts with central configuration ?
  • Is there a team or person working in the remediation of AWS Security Hub’s findings ?
  • Is the security scored being reported as part of the KPIs ? Is the trend improving over time ?
  • or is it enabled inconsistently (such as “only in production”, or only in the accounts that have AWS Config turned on) ? If not using a CSPM:
  • Is there a team or person regularly looking at Trusted Advisor’s findings ?
  • What is your level of support ? (findings in TA differ based on support level)

Pricing

https://aws.amazon.com/security-hub/pricing
The service has a 30-day trial period (free trial)
The service has a site to verify current usage and estimate future usage.