Questions tagged with AWS Security Hub

how to get regional endpoints in a real scenario? I tried: return g_boto3_session.client(service, region_name=region, aws_access_key_id=access_key, aws_secret_access_key=secret_key, aws_session_token=security_token, config=config, endpoint_url=https://sts.us-west-2.amazonaws.com)

I am having issue on having 1000's of findings in Security Hub which says "Compliance Status: Passed" usually they close after some period of time, but we generate daily reports and need to list the positive findings from CLI Atleast. Wondering if any one has any knowledge on this please share, I am trying on **- Planning to list the findings in CLI which says "Compliance Status: Passed" and close them from CLI** Having hard time with query in cli with this security hub. If anyone call help really appreciate it.

In the "results" view page of the Standards Controls (AWS, CIS), the the statistics ribbon displays a number of data, include are "Enabled", "Failed", "Disabled in this account" and "Disabled in all accounts" Does anyone know what "Disabled in all accounts" does and how it works? I've Disabled several controls, across several accounts and regions and do not see the "Disabled in all accounts" tile reflect those presuming that's what its supposed to do. Can anyone confirm, what it is, what it does, and does it work?

Hi everyone, I need help urgently!! my account was hacked on March 20th and billing is around 24k USD, I raised the case on March 24th when I notice the problem, but, the case in AWS Support has not so much progress. I did the following actions: - Modified password and MFA - Removed users and groups that I dont recognize - Released the dedicated hosts that were created under my account (17) - Removed other components (like Elastic IP) that was not created by me I dont know what else must I do now, I have 2 days waiting for a reply from AWS Support but it is taking long and I'm totally desperate now, can't sleep with this issue :'( Anyone that can help me, with more instructions to secure my account and/or escalating the case, my main concern is about the billing amount, unfortunately I can't affort pay for it, my account was mainly for testing, explore and implement University homeworks. How can I demonstrate that these configurations were not created by me? I will be very grateful with any help! *edited: Removed Case ID -— Brian D.

Hi, I'm enabling server access logging on all S3 buckets, as per SecurityHub recommendations. But now it also wants access logging on the access logging buckets and it warns (very good) that source and destination bucket cannot be the same. What is the preferred solution, here, then? Because even when one would send server access logs for the server access log buckets to another bucket in the same account, it still remains a recursion problem. It seems a bit odd to need to have access logging enabled on the access logging buckets. Another issue I don't understand iss that, although S3 server access logs are appearing as they should in the designated server access log buckets, I notice that TrustedAdvisor points out a problem that there is a problem of "Write Not Enabled" for _all_ of the S3 buckets and that, therefore, Server Access Logging is wrongly configured for all S3 buckets in the account (even though it actually works perfectly well). The permissions on the server access logging buckets also correctly give PutObject access to logging.s3.amazonaws.com. Is this a known problem, in any way? Thanks!

The SecurityHub detection results have the following titles: `4.3 Ensure the default security group of every VPC restricts all traffic` In response, we have removed the default security group inbound and outbound rules. After that, I re-evaluated with Config. After re-evaluation, the SecurityHub detection results show both PASSED and FAILED with the above title. The update date and time of PASSED is the time when it was re-evaluated by Config. On the other hand, the update date and time of FAILED is 19 hours ago. Why are both PASSED and FAILED displayed for the same detection result?

Question regarding Security Hub [EC2.10] This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service. What if no EC2 instances are created? When it's an all-lambda environment, for example. An EC2 endpoint for VPCs in all regions incurs costs, even though it is not used. This requirement does not really make sense. Can I just disable it? Thanks.

Hi, Whilst I am able to run and complete a sample app in AWS CDK, When trying to follow the blog post on [Security Hub pipeline](https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/) I am consistently getting module errors for aws_cdk. Is there any ability to be provided cloudformation for what the cdk script is trying to establish? Thanks,

Hi, I am working on resolving various AWS CIS Benchmarks in Security Hub and I am wondering if there is any way to re-run or manually trigger to re-check the rule if compliance is met. I've updated multiple configurations to comply with rules that are currently at failed status, but I don't see an option to force security hub to re-evaluate whether various benchmarks are currently in compliance or not. Thanks!

Hi, struggling with consolidating logs. I want to enable server access logging in S3 as well as VPC flow logging. Both need to have a logging bucket per region. That is not very scalable. Can't this be consolidated into one bucket? I'd also be fine having it all sent to a centralized log-archive account, if possible, but that probably needs bucket replication and doesn't solve the original issue of so many buckets required. Config logs and cloudtrail logs are nicely consolidated, but server access logs and VPC flow logs are not. A related point is if server access logging must be enabled (security-wise) on the bucket where server access logging takes place, don't you get into an endless loop? :/ Thanks!

Hi, Enabling SecurityHub on my accounts. Thus asked to enable AWS Config on all accounts in all regions. Found the AWSConfig StackSet that does this automatically. Great automation, but is it expected that I get buckets for all regions in my accounts? That's around 20 buckets already and the regular S3 quota in an account is 100. One account runs into bucket limits now. It seems odd Config logs occupy 20% of S3 quota... I do have a Config Aggregator enabled in the security-tooling account, but that doesn't seem to help. Can anyone confirm this is expected, or advise a best practice to do it another way? Thanks!

Hi, New to SecurityHub. Using AWS Organizations (not Control Tower) and made a new 'security-tooling' account as recommended in best practices to act as Master account for SecurityHub. I then delegated SecurityHub in all other accounts (3 accounts plus the management account) to this master account. SecurityHub Settings shows 3 Members (the non-management accounts), but the AWS Organizations Management account is listed as 'No Member' and cannot be added as a Member either. Red error message when I try using Actions: Adding 1 Member Failed. Why is the management account not added as a member automatically and why can't I add it? The management account has the exact same delegation to the security-tooling account as the other non-management accounts. Thanks.

Our website hosted on AWS when searched by Google indicates a "This site has been hacked" message. I have tried to add a DNS text entry and install an HTML provided by Google but neither appear to be resolving the issue. Anyone throw any light on this?

Hello Checking out the Security Hub findings, we have multiple reports of a CRITICAL issue with the description Security Hub *RDS.1 RDS snapshot should be private * but the snapshots that are targeted are deleted and are no longer available in the AWS Console RDS snapshots tab. The Record state of the finding is ARCHIVED, but we don't get why the findings were triggered at all on those snapshots ( and also no trigger was found on the current existing ones ). All the snapshots that we have are encrypted and according with the documentation: *If the source is encrypted, DB snapshot visibility is set as Private because encrypted snapshots can't be shared as public.* so our snapshots should not have gotten in a public state at any point. So what can be the cause of us seeing those Security Hub findings and how can we make sure we no longer have them?

It’s not In the dashboard and I have searched it in the new search bar for cases and it’s not with the resolved cases nothing. A red box appears and it says ‘invalid Case ID’

HI there, is it good to find out these questions before conducting a IT security assessment on the cloud? What is the type of cloud services that is required to be tested a. Infra as a Service – Amazon, Rackspace b. Software as a Service – component required to run the app is supplied, tenant will supply the app c. Platform as a Service – Salesforce, mailchimp 2. Is there root access provided for the IaaS? 3. Are you using an on-premise tools or a cloud based for VA? 4. Are you using the CSP provider for other purpose rather than hosting a website? (Containers, Kubernetes, Dockers) 5. For the API are you using different cloud service provider?

Hello, in our Test Org. we installed Control Tower like described in (https://www.youtube.com/watch?v=CwRy0t8nfgM) after that we set up IAM Access Analyzer, GuardDuty and SecurityHub like described in (https://youtu.be/hhvs4ZHGdIg). In SecurityHub i get the message AWS Config is not active in the Masteraccount of the Org.. Does this conflict with CT when i activate it, if not why the set up templates and files from git dont activate it on installation? Links followed for the set up: ControlTower * [https://docs.aws.amazon.com/controltower/latest/userguide/existing-orgs.html]() SecurityHub etc. * [https://aws.amazon.com/de/blogs/mt/enabling-aws-identity-and-access-analyzer-on-aws-control-tower-accounts/]() * [https://aws.amazon.com/de/blogs/mt/automating-amazon-guardduty-deployment-in-aws-control-tower/]() * [https://aws.amazon.com/de/blogs/mt/automating-aws-security-hub-alerts-with-aws-control-tower-lifecycle-events/]() * [ https://github.com/aws-samples/aws-service-catalog-reference-architectures/tree/master/security/guardduty]() * [https://github.com/aws-samples/aws-control-tower-securityhub-enabler/releases/tag/v2.2]()

Hi All, I'm a student and opened my account for learning purpose a year back and suddenly last week I got a mail from amazon of suspicious activity and they have created a ticket . Since then my billing has been around 14k dollars . I keep on following with amazon customer support they provide some h*ll lot of documents to go through before they take any action . I'm really worried about the billing and I don't want this account as well. Can anyone help me with solving this like closing this account will help as my bill hasn't been paid Thanks

I delegated management responsibility of Security Hub from my Control Tower management account to another account and, using a user with admin privileges in that account, enabled Security Hub, auto-enrolled new accounts, and clicked "Enroll" to enroll all existing accounts in my organization. For over 24 hours, all of those accounts have been stuck in a "Enabling in process" status. Is there anything I can do to resolve this? I feel like it shouldn't take this long to enroll member accounts.

I am noticing a very small charge of $0.03 every day in my account even though SecurityHub is turned off in all my accounts in OU. I have followed the instructions as per AWS documentation to turn off Security Hub and I can confirm that it's not active. I have also turned off Amazon Inspector checks and none of the services that are part of SecurityHub are enabled. I was wondering if you could guide me on where else I can look for the charge. ``` Security Hub ($) 0.03 ```

How can one find all public objects of any of the current account owned S3 buckets? Either trough the `aws s3` command line, through the console or through some specialized AWS service.

I have a personal AWS account and manage multiple AWS accounts for my company. AWS does not allow the same phone number across multiple accounts. What are the best practices for this scenario? And should we use a personal phone number for company owned AWS accounts?

Hello, I developed a back-end web application that connects to a Twilio API so that my app can send users text message reminders. I developed it in Spring Boot and my .jar file had my sensitive twilio account information. I quickly moved it from my .jar file into environment variables on EB to make it more secure. However, I found out yesterday that my twilio account was hacked and someone used account to send a lot of messages to/from Morocco (unclear exactly what happened). Is there any possible way that my twilio account information was exposed when I uploaded my spring boot application to AWS elastic beanstalk? Would love if anyone can help me get to the bottom of this as I can't figure out how my twilio account information was stolen. Best, Sai

We have been using an LS instance (preconfigured Ubuntu 20.04lts VM) running PLESK and a wordpress site for our church. Has been up for about a month. Today, I got an email from AWS about an abuse. The report shows that the IP6 was doing automated crawling: ******* * Log Extract: <<< ****We are seeing automated scraping of Google Web Search from a large number of your IPs/VMs. ********** There's nothing in the data of the report except this: **+----------------------------------------+--------------------------+----------+---------------------+ | Source | Time_UTC | Destination | DestPort | +----------------------------------------+--------------------------+----------+---------------------+ 2600:1f18:6502:5000:a087:4d0e:325:9709 2021-12-13 22:17:01 2607:f8b0:4004:808::2004 443** The prebuilt VM (an ubuntu 20.04 LTS preconfigured with Wordpress/plesk) had IP6 enabled by default. So I need some help as this is not my area of expertise. When I run NETSTAT -AN, I see no established connections over that IP6 address. Since we don't use IP6, I have disabled it. But there was no established IP6 connections to any endpoint, let alone the one noted specifically above). Still, I'm concerned my system is compromised. I don't really know what to do. I had the Network config and the WAF limiting access, bu somehow the system looks to have been compromised. How do I root out whether there's a breach, an already in place virus or malware or rootkit? How do I scan my system for threats?

so far my company uses the aws client vpn, which is authenticated through the google workspace saml. the user's vpn access is authenticated by his/her google mail, is anyway I can track the user's behavior, like which aws resource he/she access or modified? is any software or service i can levelrage? I appreciate you thoughts.

In a multi-account environment w/ AWS Organizations enabled - what are the best practices for deploying/enabling GD, Macie, Sec Hub? - how to enable the services (stacksets, pipeline, orgs) - what roles/SRLs are optional (comply w/ least privilege) - how to handle finding aggregation - recommendations for upkeep of services - gotcha's to look out for

I hope this is not a dumb question and I'm just overlooking something. I'm trying to figure out how to get the Security Score from a set of enabled controls (CIS) via CLI/Boto/Golang, etc. I don't see any options where to pull it from or how to calculate it. Has anyone done this before?

Someone is using my apache webserver installed on EC2 instance (Amazon Linux 2) to DOS attack other sites I have these logs in **my** apache access_log servername.com:80 127.0.0.1 - - \[21/Oct/2020:07:49:03 -0400] 127.0.0.1 "GET / HTTP/1.1" 404 370 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0” servername.com:80 127.0.0.1 - - \[21/Oct/2020:07:50:26 -0400] cpanel.edojewelry.site "GET /wp-login.php HTTP/1.1" 404 370 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0” The log report on the target website x.x.x.x - - \[21/Oct/2020:07:01:13 +0200] "POST /xmlrpc.php HTTP/1.1" 403 1228 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" x.x.x.x - - \[21/Oct/2020:07:01:11 +0200] "POST /wp-login.php HTTP/1.1" 200 2035 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" How do we prevent this or configure apache to not allow such attacks ? Is it possible to deny outgoing traffic from my instance to port 80 ? Or should I go with a tool to prevent these outbound DOS ? Edited by: wirescale on Oct 22, 2020 8:45 AM

I have Control Tower (plus the extensions) running in my organization master and am trying to set up a Security Hub master in the audit account. I can send out invites but they are never received in the member accounts. I found one post in awslabs github issues for aws-securityhub-multiaccount-scripts that said the control tower guard rails were preventing setup but didn't say which ones or exactly what was prevented. Are there known compatibility issues between Control Tower and setting up Security Hub master in the audit account? This setup would seem to be a common arrangement.

The CIS benchmark is flagging child accounts that are configured to forward logs to a dedicated log account within the same organization as not having logging configured properly. Would the best practice here be to suppress the log related findings on those accounts and create a custom config rule to look for accounts that do not have log forwarding configured? Second question: Is it possible to modify CIS benchmark SNS notifications to include more verbose logdata or does that require a Security hub Finding custom action event? Specifically the customer is looking for the log data that triggered the event to be in the email, rather than having to go to the security hub dashboard. Example, CIS-3.1-UnauthorizedAPICalls - can the log that triggered the threshold be included in the SNS message? I can't seem to locate in the security hub documentation if this is possible without using Cloudwatch events custom findings.

I don't see this mentioned in the documentation and I do not see any options in the console, so I thought I would double check here to ensure I am not missing anything: 1. Can you create your own Security Standard that has a set of rules that you'd like your accounts to comply with? 2. Can you customize existing Security Standards? For example, before enabling the CIS Benchmark, can I disable all Level 2 controls? Or is the only way to do this to enable the standard and then disable individual controls afterwards? Perhaps using another tool that can integrate with Security Hub, such as Prowler, is the way to go for a custom Security Standard? Thank you

I noticed BatchImportFindings returns an error if i try to send more than 100 objects. I am trying to find a reference to that value in the AWS SDK and can't find any, is it missing? If not, can anyone point me to documentation about that value? Thank you.

Hi Are there any plans to have CloudWatch events trigger automatically? From what I understand and tested, the only way to trigger an event is to use a custom action and a manual press it. This seems very limited and would very much like something that automatically sends events when a finding is found. The event pattern: ``` { "source": [ "aws.securityhub" ] } ``` only seems to trigger on manual custom actions taken from Security Hub. We are trying to make security hub automatically create incidents in our own ticket system and not having to check every account/region for new findings. Is this just me not getting how this works, or is there a plan to implement this?

Hello, We have been failing CIS "3.3 Ensure a log metric filter and alarm exist for usage of "root" account" compliance check. We have a metric filter in place to detect and alert for this action. I am not sure what needs to happen to pass the compliance check. This is current filter pattern on the cloudtrail logs in cloudwatch: {( $.userIdentity.type = "Root" ) && ( $.userIdentity.invokedBy NOT EXISTS ) && ( $.eventType != "AwsServiceEvent" )}