AWS - Accessing Security Hub

The Public Cloud Team has standardized on the NIST 800-53 Cybersecurity Framework across our campus public cloud environments. NIST 800-53 is a set of guidelines and best practices designed to help organizations better manage and reduce cybersecurity risk. 

AWS Security Hub was updated to use NIST Special Publication 800-53 on Wednesday, August 2, 2023 in our DLT3 and STRIDES AWS Organizations.

For more information on the specific Security Hub checks, please refer to Amazon’s documentation.

Viewing AWS Security Hub Security Findings

If you have any questions or need additional information regarding this change, please contact the Public Cloud Team. We are here to help ensure a smooth transition and to address any concerns you might have.

Security Hub Alerts

S3

Control Number Severity Remediation Link Notification Sent to Account Holder Notification Sent to CSOC
S3.1 Medium S3 Block Public Access setting should be enabled Yes Yes
S3.2 Critical S3 buckets should prohibit public read access Yes Yes
S3.5 Medium S3 general purpose buckets should require requests to use SSL Yes Yes
S3.6 High S3 general purpose bucket policies should restrict access to other AWS accounts Yes Yes
S3.7 Low S3 general purpose buckets should use cross-Region replication No No
S3.8 High S3 general purpose buckets should block public access Yes Yes
S3.9 Medium Server access logging should be enabled for S3 general purpose buckets No Yes for High Risk OUs
S3.10 Medium S3 general purpose buckets with versioning enabled should have Lifecycle configurations No Yes
S3.11 Medium S3 general purpose buckets should have event notifications enabled No No
S3.12 Medium ACLs should not be used to manage user access to S3 general purpose buckets Yes Yes
S3.13 Low S3 general purpose buckets should have Lifecycle configurations No No
S3.14 Low S3 general purpose buckets should have versioning enabled No No
S3.15 Medium S3 general purpose buckets should have Object Lock enabled No No
S3.17 Medium S3 general purpose buckets should be encrypted at rest with AWS KMS keys No No

S3.19

 Critical S3 access points should have block public access settings enabled TBD TBD

S3.20

 Low S3 general purpose buckets should have MFA delete enabled TBD TBD

EC2

Control Number Severity Remediation Link Notification Sent to Account Holder Notification Sent to CSOC
EC2.1 Critical Amazon EBS snapshots should not be publicly restorable Yes Yes
EC2.2 High VPC default security groups should not allow inbound or outbound traffic No Yes
EC2.3 Medium Attached Amazon EBS volumes should be encrypted at-rest Yes Yes
EC2.4 Medium Stopped EC2 instances should be removed after a specified time period No Yes
EC2.6 Medium VPC flow logging should be enabled in all VPCs Yes for High Risk OUs only Yes
EC2.7 Medium EBS default encryption should be enabled Yes Yes
EC2.8 High EC2 instances should use Instance Metadata Service Version 2 (IMDSv2) Yes Yes
EC2.9 High Amazon EC2 instances should not have a public IPv4 address Yes for High Risk OUs only Yes
EC2.10 Medium Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service TBD TBD
EC2.12 Low Unused Amazon EC2 EIPs should be removed No Yes
EC2.13 High Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 Yes Yes
EC2.14 High Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 3389 TBD TBD
EC2.15 Medium Amazon EC2 subnets should not automatically assign public IP addresses No Yes
EC2.16 Low Unused Network Access Control Lists should be removed No No
EC2.17 Low Amazon EC2 instances should not use multiple ENIs No No
EC2.18 High Security groups should only allow unrestricted incoming traffic for authorized ports Yes Yes
EC2.19 Critical Security groups should not allow unrestricted access to ports with high risk Yes Yes
EC2.20 Medium Both VPN tunnels for an AWS Site-to-Site VPN connection should be up No Yes
EC2.21 Medium Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 Yes Yes
EC2.23 High Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests Yes Yes
EC2.24 Medium Amazon EC2 paravirtual instance types should not be used No Yes
EC2.25 High Amazon EC2 launch templates should not assign public IPs to network interfaces Yes Yes
EC2.28 Low EBS volumes should be covered by a backup plan No Yes
EC2.51 Low EC2 Client VPN endpoints should have client connection logging enabled TBD TBD

See Also


Keywords:
AWS Security Hub NIST 800-53 
Doc ID:
129990
Owned by:
Steve T. in Public Cloud
Created:
2023-07-27
Updated:
2024-07-24
Sites:
Public Cloud