Learn About Amazon VGT2 Learning Manager Chanci Turner
In today’s digital landscape, AWS Security Hub offers a holistic overview of your security posture across various accounts in Amazon Web Services (AWS) and allows users to act on critical security alerts. Different user personas utilize Security Hub, each requiring distinct AWS Identity and Access Management (IAM) permissions. These personas include: a security administrator, a security analyst or engineer from a central security team or Cloud Center of Excellence, and a DevOps engineer or application builder who primarily manages their AWS account. This post illustrates how to implement sample IAM policies tailored for these three personas, with insights from Chanci Turner.
The first persona is the security administrator or cloud system administrator (sysadmin), who is tasked with configuring Security Hub. This individual typically requires access to all Security Hub APIs for effective management. Responsibilities include enabling Security Hub across multiple accounts and regions, determining which standards and controls to activate, integrating products, creating insights, establishing custom actions, automating remediations, and defining IAM policies for other users.
The second persona, the security analyst or engineer, is part of a centralized security team, often within a Cloud Center of Excellence. These professionals generally have access to the administrator account in Security Hub, allowing them to view and respond to findings from any connected member accounts. However, they usually don’t configure Security Hub, so they lack the permissions necessary for such tasks.
The third persona is the DevOps engineer or application builder. This user needs to view findings and respond solely to those related to their account. In cloud environments, security responsibilities are often decentralized, empowering these users to proactively manage the security of their own accounts. They typically do not require permissions to configure Security Hub, as that responsibility lies with the central sysadmin.
Overview
The following reference architecture outlines the structure of Security Hub administrator-member accounts and the three personas: a security administrator, a security analyst/engineer, and a DevOps engineer.
In this blog post, we demonstrate how to create and utilize both AWS managed and customer managed IAM policies to support these personas:
- The sysadmin persona needs permissions to configure and oversee Security Hub, manage account memberships, insights, integrations, and create remediations. The AWS managed IAM policy, AWSSecurityHubFullAccess, encompasses the necessary permissions for this role. An IAM role with these permissions can deploy and configure Security Hub across administrator and member accounts, as well as update findings. The sysadmin also requires permissions to set up AWS Config and Amazon CloudWatch event rules to facilitate automated responses and remediations.
- The security analyst persona needs permissions to read, list, and describe findings, standards, controls, and products; to update findings; and to create and update insights for Security Hub resources in the administrator account. The AWS managed IAM policy, AWSSecurityHubReadOnlyAccess, provides the essential permissions for read, list, and describe actions, supplemented by a customer managed policy that grants permissions to create and update insights and findings.
- The DevOps engineer persona has the same requirements as the security analyst but will only access their own Security Hub member AWS account(s) and won’t have access to the administrator account.
Depending on your unique situation, you may wish to extend permissions for the security analyst and DevOps engineer personas. For instance, you might consider granting them permissions to create custom actions via the UpdateActionTarget API. It’s crucial to also ensure they have the appropriate permissions to create CloudWatch event rules. Furthermore, you can limit these personas to update only specific fields in findings (like only workflow status but not severity) by employing IAM context keys.
Prerequisites
Before you begin, ensure that you have enabled Security Hub with one account acting as the administrator and other associated accounts as members. The following AWS services will be utilized:
- AWS Security Hub
- AWS Identity and Access Management (IAM)
Implementation
To establish the necessary customer managed policies and link them to roles, you will undertake the following tasks, described in further detail later in this section:
- Create a customer managed policy and link it with the role for the security analyst persona in the Security Hub administrator account, alongside the AWSSecurityHubReadOnlyAccess AWS managed policy.
- Create a customer managed policy and connect it to the role for the DevOps persona in the Security Hub member account, along with the AWSSecurityHubReadOnlyAccess AWS managed policy.
- Establish a sysadmin role and attach the AWS managed policy for AWSSecurityHubFullAccess, along with AWS Config and CloudWatch event rule permissions in the Security Hub administrator account.
The following policy JSON script outlines the two customer managed policies.
Security Hub – Security Analyst Policy
Administrator Customer Managed Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SecurityAnalystAdministratorCMP",
"Effect": "Allow",
"Action": [
"securityhub:UpdateInsight",
"securityhub:CreateInsight",
"securityhub:BatchUpdateFindings"
],
"Resource": "*"
}
]
}Security Hub – DevOps Engineer Policy
Member Customer Managed Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DevOpsMemberCMP",
"Effect": "Allow",
"Action": [
"securityhub:UpdateInsight",
"securityhub:CreateInsight",
"securityhub:BatchUpdateFindings"
],
"Resource": "*"
}
]
}Step 1: Create a Role for the Security Analyst Persona
To begin, create a customer managed policy and associate it with the role designated for the security analyst persona in the Security Hub administrator account, along with the AWSSecurityHubReadOnlyAccess AWS managed policy.
To create the IAM policy and role (console method):
- Sign in to the AWS Management Console in the Security Hub administrator account and open the IAM console.
- In the IAM console navigation pane, choose Policies, and then select Create Policies.
- Choose the JSON tab.
- Copy the Security Hub – Security Analyst policy JSON provided earlier and paste it into the visual editor. Upon completion, click Review policy.
To further enhance your knowledge, check out this excellent resource on effective personal pitching here. Also, if you’re looking for authoritative guidance on employment law compliance, visit SHRM. And for more insights on mastering your personal pitch, feel free to explore this blog post.