Security Hub with Delegated Administration

When operating a multi-account environment, customers are looking to aggregate, organize, and prioritize security findings across all of those accounts. Setting up AWS Security Hub with a delegated administrator allows your security teams to achieve this and continuously ingest security alerts from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, AWS Systems Manager, and AWS Firewall Manager, as well as from AWS Partner Network (APN) solutions.

Having these centralized and aggregated alerts allows customers to take action on them directly in a service such as Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.

Lab Overview

In this lab you will learn how to set up delegated administration for AWS Security Hub, allowing your security teams to view and manage Security Hub from a designated account for security teams. This lab assumes you will use your AWS Control Tower Audit Account. Depending on your needs you may wish to create a different account, for example, ‘Security Tooling’ in your Infrastructure Organizational Unit(OU) to administer Security Hub. This lab will require AdministratorAccess to both that account, and your AWS Control Tower Management account. You will also be able to enable Security Hub throughout your organization, for both existing and newly created AWS accounts.

Pre-requisites

You will need administrator level access to both the AWS Control Tower Management Account and your the account where you have designated for security tooling to perform this lab. This lab will assume you are using your AWS Control Tower Audit Account, but if you have a separate security account you can substitue that in its place.

This lab will assume you are going to administer and deploy AWS Security hub in 2 regions, referred to as Home Region/Secondary Region, and will be using N.Virginia and Oregon. If you wish to deploy in different or additional regions, substitute your regions for the ones in the lab where applicable. You can verify service availability in a desired region via the AWS Regional Services List.

Note: Security Hub comes with a 30 day trial, so you can attempt this lab without incurring AWS charges. If you wish to disable Security Hub, please follow the clean up steps at the end of the lab to prevent any additional charges.

Walkthrough

1. Retrieve the Audit Account ID

  • Login to your AWS Control Tower Management Account with AdministratorAccess.

    image

  • Go to the Control Tower Dashboard.

  • In the left side-bar, click on Accounts.

  • In the account list, find your Audit Account and click on it to get its details.

  • In the account details, note the Audit Account’s Account ID. You will use it later.

2. Delegate a Security Hub Administrator

Now you will set up our Security Hub Delegated Administrator. This process will move the administration of Security Hub out of the Management Account and into the Audit account, so your security teams can access and manage it.

Note: Security Hub is a region based service. You will need to make sure you complete the following steps in each region to delegate Security Hub administration in all the regions that you wish to run it. This lab assumes that you want to run Security Hub in a Home region of N.Virginia (us-east-1) and Secondary region of Oregon (us-west-2), and will complete the steps in both regions. If you wish to deploy in different or additional regions, substitute your regions for the ones in the lab where applicable.

  • This step is performed in your AWS Control Tower Management Account.

  • Go to the Security Hub Dashboard

  • In the region selector in the top bar, check that the region is set to your Home region.

  • On the Security Hub Dashboard page, click Go to Security Hub.

    Note: If you already have Security Hub enabled in your account/region, you will not see this splash page.

  • On the Security Hub configuration page, scroll down to the Delegated Administrator section.

  • Enter the account id for your Audit Account, and click Delegate.

  • In the region selector in the top bar, change the region to your Secondary region and repeat the process.

This will allow your Audit Account to manage Security Hub in each region that you have delegated administration in.

Now that you have setup Delegated Administration, you can start enabling Security Hub in your Organization.

3. Set up Security Hub for the Organization

In this step you will enable Security Hub in the accounts that you already have provisioned, and then enable the Organizations integration with Security Hub to allow newly vended accounts to automatically be enrolled in Security Hub.

  • Switch to your Audit Account with AdministratorAccess.

  • Go to the Security Hub Dashboard.

  • In the region selector in the top bar, check that the region is set to your Home region.

  • On the left sidebar, click on Settings.

Note: Currently the AWS Control Tower Management Account does not have AWS Config enabled as part of the install process. AWS Security Hub requires AWS Config to be turned on in order to monitor account, so you will need to skip enablement of Security Hub into the Management Account at this time.

  • To enable on your existing accounts, click the checkbox in the account listing next to the accounts you wish to enable Security Hub in, ensuring to not check the Management Account. It is advised that you enable it everywhere else.

  • Then click on Actions, and Add Member. Confirm you wish to add those accounts in the pop up box. After a few seconds, their status will update to Enabled.

  • Next you will automatically enable Security Hub on all new accounts as they are created.

  • To do this, click the Auto-Enable toggle to ON, and click Turn on in the pop up box to confirm.

  • In the region selector in the top bar, change your region to Oregon and repeat the process. If you are planning on using Security Hub in additional regions where you’ve already delegated administration, you should switch to those regions and repeat as necessary.

4. Investigating Findings

Note: It will take several minutes for Security Hub to generate findings based on the applied security standards.

  • On the left hand sidebar, click on Findings.

  • If there are no findings on your dashboard you will need to wait before you can investigate. Please wait and refresh the dashboard, this may take up to 5-10 minutes.

  • Once you are getting findings back, you will investigate a particular finding around EBS Default Encryption in the Audit Account.

  • To do this, you will add filters to get to a specific finding. Start by clicking on the filter bar under the Findings section to get a dropdown of available filters.

  • Find the filter for AWS account ID and click on it. Then in the box that pops up, fill in your Audit Account ID and click Apply.

  • Repeat this process for the Title filter. For this filter change the dropdown that is currently set to is to starts with, the textbox content to EC2.7, then click Apply.

  • Your filter should look like the following, with 1 finding as a result.

  • To dig deeper into this finding, click on the title EC2.7 EBS default encryption should be enabled.

  • This will pop up a box with details on the finding. You can see information such as which AWS Account triggered the finding, the severity, and the time the finding was created/updated.

  • Security Hub also provides you with detailed steps on how to remediate the issue. In the Remediation section, click on the link for instructions on how to enable EBS default encryption.

  • Clicking the link will open up a section of the individual finding’s detailed information.

  • Congratulations! You have just investigated your first Security Hub finding!

5. Monitoring Usage / Cost

  • Security Hub gives you the ability to run at no cost for 30 days, and provides a mechanism to understand what it will cost beyond that trial based on current utilization.

  • To see this data and keep track of when your trial expires, click on the Settings item in the left sidebar to get back to the settings page if you aren’t already there.

  • Next click on the Usage tab. Here you will see your utilization data for the current region. Click on the region selector in the top bar to view usage in other regions.

Note: The figure for usage in this lab is for demonstration purposes only, your actual usage and cost will differ based on the number of regions and the number of resources being monitored.

Conclusion

Congratulations! You have successfully set up Security Hub and enabled it in multiple regions for all the accounts in your Organization.

You can also create and deploy your own custom compliance rules using AWS Config. View the AWS Config with RDK (Rule Development Kit) lab to learn how.

Lab Decommission

In order to revert to the original state you will need to:

  • Use the delegated administrator to disassociate all of the accounts with Security Hub.

  • Remove the delegated administrator.

  • Disable Security Hub in the accounts/regions where you enabled it.

1. Disassociating Accounts

  • If you are not already in the Audit Account, switch to it with AdministratorAccess.

  • Go to the Security Hub Dashboard.

  • Complete the following steps in each region where you have enabled Security Hub as part of this lab:

    • On the left sidebar, click on Settings.

    • Click the Auto-Enable toggle and set it to OFF. This will prevent new accounts from enabling Security Hub.

    • Click the checkbox next to the Account ID heading to check all the accounts, then uncheck the box next to the AWS Control Tower Management Account since it is not enabled there.

    • Click on the Actions button, then Disassociate account.

      Note: If you left the AWS Control Tower Management Account checked, this button may be grey. Uncheck it to proceed.

    • In the pop up box, confirm you wish to disassociate the selected accounts and click Disassociate account.

    • Once completed, the selected accounts will have a status of Not a member.

2. Removing the Delegated Administrator

This step only needs to be done once and will affect all regions where delegated administration was set up.

  • Login to your AWS Control Tower Management Account with AdministratorAccess.

  • On the Security Hub Dashboard page, click Go to Security Hub.

  • On the Security Hub configuration page, scroll down to the Delegated Administrator section and click Remove.

  • In the pop up box type confirm and click Confirm remove.

3. Disabling Security Hub in the Member Accounts

You can disable Security Hub in your organizational member accounts either via the Console or CLI. You will need to complete this process in each account that you enabled Security Hub, and need AWSSecurityHubFullAccess or AdministratorAccess in those accounts.

Via the Console:

In each account/region where Security Hub is enabled:

  • Go to the Security Hub Dashboard

  • On the left sidebar, click on Settings.

  • Click on the General tab.

  • Click on Disable AWS Security Hub.

  • In the pop up box, confirm that you wish to disable Security Hub by clicking Disable AWS Security Hub.

Via the CLI:

To install the AWS CLI, please follow the AWS CLI Installation documentation.

In order to run CLI Commands, you will first need a set of credentials.

  • On the AWS SSO Page, click on the account you wish to disable Security Hub in to show the list of Permission Sets.

  • Next to the permission set, click the link for Command line or programmatic access.

  • Choose the appropriate platform that you are running the CLI in, and under Option 1 click to copy the necessary exports for your temporary credentials.

  • Paste the copied credentials into your shell and press < enter >. This will allow the CLI session to run commands using those environment variables.

  • Run the following command for each region, replacing the region text with the appropriate region id from the service endpoint reference.

    	aws securityhub disable-security-hub --region < REGION >
    	
  • (Optional) if you wish to loop over all regions and disable Security Hub everywhere you can use the following set of commands to loop over all regions. The example is a bash script but can be adapted to other shells.

    Note: The CLI will return errors when you try to turn off Security Hub when it is not currently enabled. This is normal.

    	export REGIONS=$( aws ec2 describe-regions --query 'Regions[].RegionName' --output text --region us-east-1 )
    
    	for R in $REGIONS; do
    	 echo ==============================
    	 echo $R
    	 echo ==============================
    	 aws securityhub disable-security-hub --region $R
    	done
    	

References

Copyright 2021, Amazon Web Services, All Rights Reserved.