Streamlining Security Management

AWS Security Hub's Evolution

AWS re:Invent 2023 had very little for announcements around Management and Governance. My core competency and concern.

One announcement; however, struck deep in solving an issue I've faced since taking on my recent role managing the security and governance of four greenfield AWS Organizations.

That announcement... New from AWS: You can now customize security controls in AWS Security Hub

From the title, it doesn't sound like much. This could already be done on a per-account basis. My challenge was setting the standard for developers and operators to live by within many accounts across multiple organizations.

I set the requirements of:

  • All critical and high controls are required

    • of those outside of the control of the individual account owners and team, I would disable them with a comment

    • disabling of controls, to the developers meant, "I got this one", or that it is inherited

  • Mediums owned by developers unless could be inherited

  • Lows mostly taken care of by globally deployed management solutions and standards.

Up until re:Invent 2023, the solution to do that very thing required a custom solution not native to the AWS Security Hub service itself. This seemed counterintuitive. An AWS Service that could already be delegated for Organizational level management seemed like it should already do this, but it took a few years for the functionality to be part of the service itself. I'm sure all of this is much more complicated on the back end than it seems and for that, I give a lot of grace.

In the interim for deploying four new AWS Organizations, the solution was to deploy an AWS-Samples solution which allowed cross-account control disabling. I wrote about this solution in an earlier issue of my AWS Management & Governance Newsletter - Unlimited Leave. You can read that issue here:

The implementation of that solution required me to build a personally managed project with the AWS Samples solution(s) as a submodule. This wasn't a big deal but it did add some additional complexity. Some of which are self-inflicted due to having multiple AWS Organizations.

A topic I cover here.

Regardless of the complexities, this sample solution got the job done. Albeit not very intuitively.

Challenges of the Old Process

While effective, this approach had several drawbacks:

  1. Complex Setup and Maintenance: Implementing the custom solution required considerable effort, including setting up Lambda and Step functions and ensuring they worked seamlessly across all accounts.

  2. Additional Documentation Needed: Deploying a solution not native to the AWS Service requires faith in the referenced solution itself, how well it is documented, as well as custom documentation for how the solution is deployed for your use case.

  3. Manual Updates and Scalability Issues: Any changes in Security Hub controls necessitated manual updates to the script. This was not only time-consuming but also prone to errors, especially in large, dynamic environments. The consolidation of Control IDs across standards had a major impact on this.

  4. Limited Visibility and Control: The custom solution provided basic functionality but lacked the sophistication to offer granular control or insights into security posture across accounts.

  5. Core functionality not obvious: even though the roll-up of controls for the whole organization could be in the central delegated account, and across regions, the solution needed to be deployed to every active region to work. Or, worse yet, at the time Security Hub and AWS Config, didn't honor the fact that "Global" resources and controls, were only enabled in the "Home Region" of your Control Tower Deployment. This led to much back and forth with the SH team and ultimately temporarily turning off SH in secondary regions.

The Game-Changer

The landscape of cloud security management took a significant turn with the announcement at AWS re:Invent 2023. AWS unveiled enhanced central configuration capabilities in Security Hub, marking a pivotal advancement in how security controls are managed.

Key Features of the Updated Security Hub

  1. Centralized Control Management: Users can now enable or disable specific security standards and controls across all accounts from a single, central location.

  2. Automated and Scalable: The new features automate what was previously a manual and error-prone process, facilitating scalability and consistency across large AWS environments.

  3. Enhanced Visibility and Compliance: With centralized control, it's easier to maintain a consistent security posture and compliance status, as changes are propagated automatically across all accounts.

Comparing Old and New: A Leap in Efficiency

The contrast between the old and new methods of managing security controls in AWS is stark:

  • Ease of Use: The updated Security Hub eliminates the need for custom scripts and manual intervention, offering a straightforward, user-friendly interface.

  • Time and Resource Efficiency: What used to take hours of scripting and testing can now be accomplished in minutes with a few clicks.

  • Consistency and Reliability: The central configuration feature ensures consistent application of security controls, reducing the risk of misconfigurations and compliance issues.

  • Most importantly: True AWS Support. The second you deploy an AWS-Samples solution, you're pretty much on your own. While the community on some of these projects is strong, the gist of the sample solutions seems to be side (or passion) projects asked of team members by AWS leadership which help with performance reviews and level increases. Don't get me wrong, every one of these solutions or reference architectures is great, but if they aren't part of the core service, you never know how long support is going to last.

Core Functionality

The evolution of AWS Security Hub, especially with the latest updates announced at AWS re:Invent 2023, represents a significant stride in cloud security management. The shift from relying on custom solutions to leveraging integrated, centralized features not only simplifies security control management but also enhances overall security and compliance.

Anytime a custom implementation is required, specifically regarding security, you increase the risk of security issues. The solution may stop working or not be reliable (in the case of Control IDs being consolidated). The implementation of security protocols many times can be a vulnerability all by itself. This core service feature helps minimize that vulnerability.

If you enjoy learning about AWS Cloud Management and Governance, please follow along by subscribing to my newsletter.

Until next time, Cloud Security.
- Ross