Security Hub log findings
The CIS benchmark is flagging child accounts that are configured to forward logs to a dedicated log account within the same organization as not having logging configured properly. Would the best practice here be to suppress the log related findings on those accounts and create a custom config rule to look for accounts that do not have log forwarding configured?
Is it possible to modify CIS benchmark SNS notifications to include more verbose logdata or does that require a Security hub Finding custom action event? Specifically the customer is looking for the log data that triggered the event to be in the email, rather than having to go to the security hub dashboard. Example, CIS-3.1-UnauthorizedAPICalls - can the log that triggered the threshold be included in the SNS message? I can't seem to locate in the security hub documentation if this is possible without using Cloudwatch events custom findings.
Please see the answer to your questions below:
Q1. For customers with central logging they can disable the CIS 3.x checks in all child accounts that are pushing logs to a centeral account and only have these checks in the central logging account see - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html
CIS 2.1 and FSBP [Cloudtrail.1]– Checks if cloudtrail is enabled in all regions and if a multiregion cloud trail exists respectively. As best practice customers should have an org trail (which is enabled on all accounts in the organization by default). If the customer is not using an org trail i.e they have centrall logging configured which involves manually adding account to the central trail then they will need a way to audit accounts that are not forwarding to the central trail using a custom rule.
Q2. For CIS 3.x this is only checking if the filters/alrams are in place. As far as I know, If the customer wants details on the activity that triggered the alarm, they will need to use CWE custom findings and transforms. I hope this helps!
Security Hub and Cloudwatch EventsAccepted Answerasked 3 years ago
Cannot add AWS Management Account as member of Security HubAccepted Answerasked 4 months ago
Two identically configured Elastic Beanstalk environments, log streaming works in one but not the otherasked 6 months ago
How to reduce the cost for cloudtrail loggingasked 6 months ago
How can I restrict S3 bucket access to allow only VPC Flow logs from within an organization?Accepted Answerasked 6 months ago
Security Hub log findingsAccepted Answerasked 2 years ago
can not remove account from organizationasked 3 years ago
Security Hub Master Invites Not Receivedasked 2 years ago
unable to access S3 log files owned by "s3-log-service"asked 3 years ago
S3 Server Access Logging - Another Accountasked 3 months ago