AWS Security Hub Findings

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Findings. If no potential security issues were found by the service providers (AWS-based and third-party), the Amazon Security Hub findings list is empty, otherwise the service dashboard is listing all the issues found based on their severity.

04 Choose a Security Hub finding that you want to examine, then click on finding title (link) available in the Title column.

05 Once the finding description panel is open, analyze the selected entry by checking the most important attributes:

1. Title – the name of the finding, e.g. "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet."
2. Description – a detailed description of the security finding which includes the AWS resources affected by the security risk e.g. "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234."
3. Account ID – the ID number of the AWS account where the potential security issue described by the selected finding was found.
4. Severity label – the severity label associated with the finding, e.g. "Medium". Possible values are High, Medium, Low and Informational.
5. Product – the solution/service that generates the finding, e.g. "Inspector" (AWS Inspector service).
6. Compliance status – describes the result of the compliance check. Valid values are: "PASSED" (all resources that were checked were found in compliance with the check), "WARNING" (there is configuration information that needs to be supplied that is lacking), "FAILED" (all resources that were checked failed the check) and "NOT_AVAILABLE" (the check could not be performed due to a service outage, an API error, etc).
7. Resources – a set of configuration attributes that describe the resources to which the selected finding refers, e.g. "Resource type: AwsEc2Instance", "Resource ID: arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789", "Resource region: us-east-1".
8. Workflow:
   • Record State – the record state of the security finding. Valid values are "ACTIVE" and "ARCHIVED".
   • Remediation – provides a recommendation on how to remediate the issue identified by the selected finding, e.g. "You can edit the Security Group sg-abcdabcd123456789 to remove access from the internet on port 21".

06 Based on the information returned at the previous step you can analyze the security finding and make a plan to implement the recommended fix (see Remediation/Resolution section for step by step remediation).

07 Repeat steps no. 4 – 6 to analyze other Amazon Security Hub findings found within the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run get-findings command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Names (ARNs) of the Security Hub-aggregated findings available within the selected region:

aws securityhub get-findings
	--region us-east-1
	--query 'Findings[*].Id'

02 The command output should return an array with the requested ARNs:

[
"arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
"arn:aws:inspector:us-east-1:123456789012:target/0-aabbccdd/template/0-1234abcd/run/0-abcdabcd/finding/0-aaaabbbb",

...

"arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.8/finding/12341234-abcd-1234-abcd-123412341234",
"arn:aws:securityhub:us-east-1:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0/3.7/finding/1234abcd-1234-abcd-1234-1234abcd1234"
]

03 Create a JSON document required for get-findings command filtering, as shown in the example below, and save it in a file named finding-id.json. Make sure that you replace the ARN of the Security Hub finding listed for the Value attribute with the ARN of the finding that you want to examine:

{
  "Id": [
    {
      "Value": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
      "Comparison": "EQUALS"
    }
  ]
}

04 Execute get-findings command (OSX/Linux/UNIX) using the ARN of the finding that you want to examine as identifier, listed within finding-id.json document, to describe the selected Amazon Security Hub finding:

aws securityhub get-findings
	--region us-east-1
	--filters file://finding-id.json

05 The command output should return the configuration metadata for selected security finding:

{
    "Findings": [
        {
            "LastObservedAt": "2018-12-10T08:54:03Z",
            "FirstObservedAt": "2018-12-10T08:54:03Z",
            "GeneratorId": "arn:aws:inspector:us-east-1:123456789012:target/0-abcdabcd",
            "Severity": {
                "Product": 9,
                "Normalized": 45
            },
            "Title": "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet.",
            "Resources": [
                {
                    "Region": "us-east-1",
                    "Partition": "aws",
                    "Type": "AwsEc2Instance",
                    "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789",
                    "Details": {
                        "AwsEc2Instance": {
                            "SubnetId": "subnet-abcd1234",
                            "VpcId": "vpc-12345678",
                            "ImageId": "ami-012345678aaaabbbb"
                        }
                    }
                }
            ],
            "WorkflowState": "NEW",
            "ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
            "Confidence": 10,
            "ProductFields": {
                "attributes:7/key": "SECURITY_GROUP",
                "attributes:9/value": "acl-1234abcd",
                "aws/securityhub/ProductName": "Inspector",
                "attributes:7/value": "sg-012345678abcdabcd",
                "attributes:4/value": "TCP",
                "attributes:1/key": "RULE_TYPE",
                "serviceAttributes/schemaVersion": "1",
                "attributes:5/value": "igw-abcd1234",
                "serviceAttributes/rulesPackageArn": "arn:aws:inspector:us-east-1:123456789012:rulespackage/0-abcdabcd",
                "attributes:6/key": "VPC",
                "attributes:4/key": "PROTOCOL",
                "attributes:3/value": "FTP",
                "aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
                "attributes:6/value": "vpc-12345678",
                "attributes:9/key": "ACL",
                "attributes:0/value": "eni-089c2f505015c6291",
                "aws/securityhub/SeverityLabel": "MEDIUM",
                "attributes:10/value": "i-0abcd1234abcd1234",
                "attributes:3/key": "PORT_GROUP_NAME",
                "attributes:8/key": "REACHABILITY_TYPE",
                "attributes:2/value": "21",
                "attributes:5/key": "IGW",
                "attributes:2/key": "PORT",
                "attributes:1/value": "RecognizedPortNoAgent",
                "attributes:8/value": "Internet",
                "serviceAttributes/assessmentRunArn": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd",
                "attributes:10/key": "INSTANCE_ID",
                "attributes:0/key": "ENI",
                "aws/securityhub/CompanyName": "AWS"
            },
            "RecordState": "ACTIVE",
            "CreatedAt": "2018-12-10T08:54:03Z",
            "UpdatedAt": "2018-12-10T08:54:03Z",
            "Remediation": {
                "Recommendation": {
                    "Text": "You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21."
                }
            },
            "Description": "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234.",
            "SchemaVersion": "2018-10-08",
            "Id": "arn:aws:inspector:us-east-1:123456789012:target/0-aaaabbbb/template/0-abcd1234/run/0-aabbccdd/finding/0-abcdabcd",
            "Types": [
                "Software and Configuration Checks/AWS Security Best Practices/Network Reachability - Recognized port reachable from internet"
            ],
            "AwsAccountId": "123456789012"
        }
    ]
}

06 Analyze the metadata returned for the selected security finding by checking the following output attributes:

1. "Title" – the name of the finding, e.g. "On instance i-abcdabcd123456789, TCP port 21 which is associated with 'FTP' is reachable from the Internet."
2. "Description" – a detailed description of the security finding which includes the AWS resources affected by the security risk e.g. "On this instance, TCP port 21, which is associated with FTP, is reachable from the Internet. You can install the Inspector agent on this instance and re-run the assessment to check for any process listening on this port. The instance i-abcdabcd123456789 is located in VPC vpc-12345678 and has an attached ENI eni-0abcd1234abcd1234 which uses network ACL acl-1234abcd. The port is reachable from the Internet through Security Group sg-012345678abcdabcd and IGW igw-abcd1234."
3. "AwsAccountId" – the ID number of the AWS account where the potential security issue described by the selected finding was found, e.g. "123456789012".
4. "ProductFields.aws/securityhub/SeverityLabel" – the severity label associated with the finding, e.g. "MEDIUM". Possible values are "HIGH", "MEDIUM", "LOW" and "INFORMATIONAL".
5. "ProductFields.aws/securityhub/ProductName" – the service/solution that generates the finding, e.g. "Inspector" (AWS Inspector service).
6. "Compliance.Status" – describes the result of the compliance check. Valid values are: "PASSED" (all resources that were checked were found in compliance with the check), "WARNING" (There is configuration information that needs to be supplied that is lacking), "FAILED" (all resources that were checked failed the check) and "NOT_AVAILABLE" (the check could not be performed due to a service outage, an API error, etc).
7. "Resources"– an array that contains the configuration attributes of the resources to which the selected finding refers, e.g. "Type": "AwsEc2Instance", "Id": "arn:aws:ec2:us-east-1:123456789012:instance/i-abcdabcd123456789", "Region": "us-east-1", etc.
8. "RecordState" – the record state of the security finding. Valid values are "ACTIVE" and "ARCHIVED".
9. "Remediation.Recommendation" – provides a suggestion on how to remediate the issue identified by the selected finding, e.g. "You can edit the Security Group sg-abcdabcd123456789 to remove access from the Internet on port 21".

07 Based on the metadata returned at the previous step you can analyze the security risk described by the finding and implement the recommended fix.

08 Repeat steps no. 3 – 7 to check and analyze other Amazon Security Hub findings found in the selected region.

09 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to Amazon Security Hub dashboard at https://console.aws.amazon.com/securityhub/.

03 In the left navigation panel, choose Findings.

04 Select the Security Hub finding that you want to resolve, then click on finding title (link) available in the Title column.

05 On the selected finding description panel, inside the Workflow section, copy the ID of the insecure EC2 security group available within the finding remediation recommendation (e.g. sg-abcdabcd123456789).

06 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

07 In the navigation panel, under NETWORK & SECURITY, click Security Groups.

08 Paste the security group ID copied at step no. 5 inside the Filter by tags and attributes or search by keyword box and press Enter. The AWS console should return the specified EC2 security group.

09 Select the Inbound tab from the dashboard bottom panel and click Edit to update the existing configuration.

10 In the Edit inbound rules dialog box, choose the ingress rule that has the xPort Range value set to 21 and the Source value set to 0.0.0.0/0 and remove it by clicking the x (delete) button available next to the chosen rule.

11 Click Save to apply the changes and return to the EC2 dashboard.

01 Copy the ID of the EC2 security group described within the selected finding remediation (see Audit section part II, step. no. 5, "Remediation.Recommendation" attribute value to identify the right resource ID).

02 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the security group ID copied at the previous step as identifier, to delete the ingress rules that allow unrestricted inbound access (i.e. 0.0.0.0/0) on port 21 (FTP), as described by the selected Amazon Security Hub finding. The following command example removes an inbound rule that allows public access on TCP port 21 (FTP), from an EC2 security group identified by the ID "sg-abcdabcd123456789" (the command does not produce an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-id sg-abcdabcd123456789
	--protocol tcp
	--port 21
	--cidr 0.0.0.0/0