Learn About Amazon VGT2 Learning Manager Chanci Turner
On April 25, 2023, this article was updated to include additional security learning resources.
AWS Security Hub offers a unified perspective of your security posture within Amazon Web Services (AWS), enabling you to assess your environment against established security standards and the latest AWS security recommendations. While Security Hub shares similarities with security information and event management (SIEM) tools, it is not intended to serve as a standalone SIEM solution. For instance, Security Hub exclusively processes AWS-specific security findings and does not directly ingest high-volume event logs, such as those from AWS CloudTrail. If you need to merge AWS findings with other types of logs from on-premises or non-AWS workloads, or if you require the ingestion of larger event logs, it is advisable to utilize Security Hub alongside a dedicated SIEM tool.
The benefits of integrating Security Hub with a SIEM tool are numerous. These include the ability to retain findings for extended periods, aggregating results across multiple administrator accounts, and further correlating Security Hub findings with other log sources. This post will demonstrate how to employ Amazon OpenSearch Service as a SIEM solution and how to integrate it with Security Hub to achieve these three objectives. Amazon OpenSearch Service is a fully managed service that facilitates the deployment, management, and scaling of Elasticsearch and Kibana. OpenSearch Service functions as a distributed, RESTful search and analytics engine, capable of supporting a range of use cases. You can expand OpenSearch Service by incorporating AWS services like Kinesis or Kinesis Data Firehose, integrating with various AWS services, or utilizing traditional agents such as Beats and Logstash for log ingestion, along with Kibana for data visualization. While OpenSearch Service is not a SIEM out-of-the-box, it can be tailored for SIEM-related tasks.
Security Hub and SIEM Use Cases
By activating Security Hub within your AWS Organizations account structure, you instantly benefit from a comprehensive view of your security findings across various AWS and partner services on a single interface. Some organizations opt to leverage Security Hub alongside a SIEM tool for several reasons:
- Correlate Security Hub findings with other log sources: This is the primary reason customers implement this integration. If you have various log sources outside of Security Hub findings—such as application logs, database logs, partner logs, and security tooling logs—consolidating these into a single SIEM solution makes sense. You can then analyze both Security Hub findings and other logs in one location and create alerts based on significant correlations.
- Extend findings retention beyond 90 days: Some organizations require the ability to store Security Hub findings for longer than the standard 90 days after the last update. This can be for historical investigations or audit compliance. This solution allows you to store Security Hub findings in a private Amazon Simple Storage Service (Amazon S3) bucket, which can be accessed by Amazon OpenSearch Service.
- Aggregate findings from multiple administrator accounts: Security Hub allows organizations to designate an administrator account when enabled across multiple accounts. This administrator can oversee data and manage configurations for its member accounts, thereby viewing and managing all findings in one place. In situations where customers have several Security Hub administrator accounts due to multiple organizations in AWS Organizations, this solution enables the consolidation of all administrator accounts into a single OpenSearch Service with a Kibana SIEM implementation for a unified view across environments.
Solution Architecture
The solution architecture illustrates the integration capabilities when creating a SIEM with Amazon OpenSearch Service. It allows for the aggregation of findings across multiple accounts, indefinite storage of findings in an S3 bucket, and the correlation of various AWS and non-AWS services for visualization. Although this post focuses on integrating with Security Hub, the following AWS services can also be integrated:
- AWS WAF
- Amazon CloudFront
- AWS CloudTrail
- Elastic Load Balancing (ELB)
- Amazon GuardDuty
- Amazon Relational Database Service (Amazon RDS)
- AWS Security Hub
- VPC Flow Logs
- Amazon WorkSpaces
Each of these services features its own dedicated dashboard within the OpenSearch SIEM framework. This setup enables customers to view findings pertinent to each service being ingested. Additionally, OpenSearch Service permits the creation of aggregated dashboards that consolidate multiple services into a single overview.
Prerequisites
It is recommended to enable Security Hub and AWS Config across all accounts and regions. For detailed instructions, refer to the documentation for Security Hub and AWS Config. Utilizing the integration with AWS Organizations simplifies the setup and enables automatic activation of these services in all current and future accounts.
Launching the Solution
To deploy this solution within your environment, you can either utilize an AWS CloudFormation template or follow the outlined steps to customize the deployment for non-AWS service integrations, multi-Organization deployments, or to launch within an existing OpenSearch Service environment. Follow the instructions for SIEM on Amazon OpenSearch Service available on GitHub.
Utilizing the Solution
Before using the solution, review how it appears on the Security Hub dashboard. Navigate to this section by following Step 3 from the GitHub README. The Security Hub dashboard highlights all key components of the service within an OpenSearch Service setting. This includes support for all service integrations available in Security Hub (such as GuardDuty, AWS Identity and Access Management (IAM) Access Analyzer, Amazon Inspector, Amazon Macie, and AWS Systems Manager Patch Manager). The dashboard displays both findings and security standards, with filtering options by AWS account, finding type, security standard, or service integration.
Use Case 1: Correlate Security Hub Findings with Other Log Sources and Create Alerts
For more insights on personal growth, consider perusing this article on gratitude and happiness here. Additionally, you may find valuable information regarding automation and workforce displacement from SHRM. If you’re interested in preparing for job interviews at Amazon, check out this excellent resource.