Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Security Hub compliance report

0

hello, we are planning to subscribe to few security standards using Terraform in our AWS environment, eg. shown below. We will be disabling few controls as they are managed externally.

The question is about reporting. Can Security Hub provide a report for compliance status for auditing purposes? For eg. an audit report for CIS compliance across AWS Organizations.

Or is it only possible through Audit Manager?

resource "aws_securityhub_account" "example" {}

data "aws_region" "current" {}

resource "aws_securityhub_standards_subscription" "cis" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}

resource "aws_securityhub_standards_subscription" "pci_321" {
  depends_on    = [aws_securityhub_account.example]
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
}
Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS Security HubTerraformAWS Audit ManagerSecurity
Language
English
asked 10 months ago456 views
2 Answers
0

Yes, AWS Security Hub can provide compliance status reports for auditing purposes, including for standards like CIS compliance across AWS Organizations.

Security Hub offers a comprehensive view of your security state within AWS and helps you check your compliance with security industry standards and best practices. It consolidates control findings across multiple standards, making it easier to identify misconfigurations and improve your overall security score.

For each standard you subscribe to, such as CIS AWS Foundations Benchmark or PCI DSS (as shown in your Terraform code), Security Hub will generate control findings and provide compliance status. You can view all enabled controls in one place, along with their compliance status and a summary of passed and failed security checks.

Security Hub generates an overall security score for each standard, account, and organization. This score, along with detailed findings, can be used for auditing purposes. The service updates control statuses regularly (typically within 24 hours) based on the latest findings.

While AWS Audit Manager is another tool that can help with compliance auditing, Security Hub itself provides robust compliance reporting capabilities. You can use Security Hub to continuously monitor your compliance status, view detailed findings, and generate reports for auditing purposes without necessarily needing to use Audit Manager.

However, it's worth noting that Audit Manager does offer some additional features specifically designed for audit management, such as the ability to create custom frameworks and automate evidence collection. Depending on your specific auditing needs, you might find value in using both Security Hub and Audit Manager together.
Sources
Evaluating compliance status and control status in Security Hub - AWS Security Hub
Cloud Security Posture Management – AWS Security Hub Features – Amazon Web Services
Compliance validation for AWS Audit Manager - AWS Audit Manager

answered 10 months ago
0

To answer your question regarding reporting specifically: In Security Hub, Compliance.Status field of the AWS Security Finding Format describes the result of a control finding. Security Hub uses the compliance status of control findings to determine an overall control status. You can enable various frameworks including CIS, PCI DSS etc based on your use case to collect the control findings. For reporting these findings for auditing purposes, you will need to use Audit Manager where you can create an assessment, then Audit Manager automatically starts to assess resources in your AWS accounts based on the controls that are defined in the framework. Audit Manager collects this evidence type from AWS Security Hub and AWS Config. For Security Hub, evidence collection follows the schedule of your Security Hub checks. For more information about the schedule of Security Hub checks, see Schedule for running security checks in the AWS Security Hub User Guide. For more information about the Security Hub checks supported by Audit Manager, see AWS Security Hub controls supported by AWS Audit Manager.

  1. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-schedule.html
  2. https://docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html
AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content