Sorry, currently no German translation is available for this blog post

Situation

The nature of cloud landscapes is that they are highly dynamic and grow steadily. Keeping grip on the current level of security can be a challenge. AWS provides a great tool to get a consolidated overview, particularly in AWS Landing Zone architectures: AWS Security Hub

AWS Security Hub

In the following post we will introduce AWS Security Hub and two security standards we recommend you consider for your AWS accounts.

The security standards are shipped with AWS Security Hub and can be enabled with a simple click.

Note: Please be aware that both security standards deploy managed AWS Config rules that will generate costs.

The following diagram shows the concept behind AWS Security Hub:

Security Hub Model

AWS Security Hub is made for multi-account setups. You can specify a master account (usually the Core Auditing Account) and invite member accounts to the master.

We recommend enabling the following standards. Per enabled security standard you will get an aggregated security score across all security controls, enabled for the security standard.

Security Standards

CIS AWS Foundations Benchmark

The Center for Internet Security (1) provides a great set of benchmarks for different technologies. For AWS they provide the CIS Amazon Web Services Foundations Benchmark and the CIS Benchmark for Amazon Web Services Three-tier Web Architecture.

As mentioned AWS Security Hub comes with the CIS AWS Foundations Benchmark [2][3] which consists of 49 security controls from the four following domains:

CIS Table

AWS Foundational Security Best Practices

Since Q2-2020 the AWS Foundational Security Best Practices [4] security standard has been available at AWS Security Hub. It consists of 31 security controls that belong to one of the following categories, which are based on the functions described in the NIST Cybersecurity Framework.

FSBP Table

We are ACAI Consulting – specialized in AWS Multi Account Security and Governance. If you have any questions, feel free to get in touch with us: blog@acai.gmbh

References

[1] https://www.cisecurity.org/

[2] AWS_CIS_Foundations_Benchmark.pdf

[3] securityhub-standards-cis.html

[4] securityhub-standards-fsbp.html