Posted On: Feb 16, 2022

AWS Security Hub has released 13 new controls for its Foundational Security Best Practice standard (FSBP) to enhance customers’ Cloud Security Posture Management (CSPM). These controls conduct fully-automatic checks against security best practices for Amazon CloudFront, Amazon EC2, Amazon OpenSearch, Amazon Relational Database Service (RDS), Amazon Simple Storage Service (S3), and AWS Virtual Private Network (VPN). If you have Security Hub set to automatically enable new controls and are already using AWS Foundational Security Best Practices, these controls are enabled by default. Security Hub now supports 175 security controls to automatically check your security posture in AWS.

The 13 FSBP controls that we have launched are:

  • [OpenSearch.1] OpenSearch domains should have encryption at rest enabled
  • [OpenSearch.2] OpenSearch domains should be in a VPC
  • [OpenSearch.3] OpenSearch domains should encrypt data sent between nodes
  • [OpenSearch.4] OpenSearch domain error logging to CloudWatch Logs should be enabled
  • [OpenSearch.5] OpenSearch domains should have audit logging enabled
  • [OpenSearch.6] OpenSearch domains should have at least three data nodes
  • [OpenSearch.8] Connections to OpenSearch domains should be encrypted using TLS 1.2
  • [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses
  • [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates
  • [S3.9] S3 bucket server access logging should be enabled
  • [EC2.20] Both VPN tunnels for an AWS Site-to-Site VPN connection should be up
  • [ELB.9] Classic Load Balancers should have cross-zone load balancing enabled
  • [RDS.11] RDS instances should have automatic backups enabled
We have added two of these controls (OpenSearch.1 and OpenSearch.2) to Security Hub’s standard for the Payment Card Industry Data Security Standard (PCI DSS) v3.2.1

Security Hub also added two integration partners, which brings Security Hub up to 75 total partners. The new integration partners include Sonrai and Fugue. Sonrai Dig sends findings to Security Hub and monitors and remediates cloud misconfigurations and policy violations to help customers improve their security and compliance posture. Fugue is an agent-less, scalable cloud-native platform that automates the continuous validation of infrastructure-as-code and cloud runtime environments using the same policies—and delivers those findings to Security Hub.

AWS Security Hub is available globally and is designed to give you a comprehensive view of your security posture across your AWS accounts. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, including Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Systems Manager Patch Manager, AWS Config, AWS Health, AWS IAM Access Analyzer, as well as from over 60 AWS Partner Network (APN) solutions. You can also continuously monitor your environment using automated security checks based on standards, such as AWS Foundational Security Best Practices, the CIS AWS Foundations Benchmark, and the Payment Card Industry Data Security Standard. In addition, you can take action on these findings by investigating findings in Amazon Detective or AWS Systems Manager OpsCenter or by sending them to AWS Audit Manager or AWS Chatbot. You can also use Amazon EventBridge rules to send the findings to ticketing, chat, Security Information and Event Management (SIEM), response and remediation workflows, and incident management tools. 

You can enable your 30-day free trial of AWS Security Hub with a single-click in the AWS Management console. To learn more about AWS Security Hub capabilities, see the AWS Security Hub documentation, and to start your 30-day free trial see the AWS Security Hub free trial page.