AWS Cloud Operations Blog
Diagnose and remediate AWS Security Hub findings with AWS Systems Manager OpsCenter and Explorer
In this post, we will show you how to configure AWS Systems Manager OpsCenter to aggregate security findings from AWS Security Hub into OpsCenter as operational issues. OpsCenter helps operations engineers and IT professionals reduce issue resolution time by providing a central place to view, investigate, and resolve security issues. AWS Systems Manager Explorer provides an aggregated summary of Security Hub operational issues across multiple accounts and Regions.
Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. For more information about Security Hub features, see the AWS Security Hub is now generally available blog post.
Most customers segregate their security issues (for example, publicly accessible Amazon Simple Storage Service (Amazon S3) buckets on Amazon Elastic Compute Cloud (Amazon EC2) instances) and operational issues (for example, underutilized Amazon Redshift instances or overutilized EC2 instances). They use Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. But because security and operational issues can overlap, you might prefer to consolidate them in a single location.
If this is your preference, you can use the integration between Systems Manager and Security Hub to receive Security Hub findings and have them ingested into Systems Manager OpsCenter and Explorer. OpsItems are created for all critical and high-severity Security Hub findings. They are optionally created for medium and low-severity findings. An Explorer widget provides a summary of all Security Hub findings based on severity. OpsCenter also provides bidirectional integration with Security Hub. When you make updates to the status and severity fields in an OpsItem, those changes are sent to Security Hub to help you see the latest information.
If you enable this feature to view security findings alongside other performance and operational issues, we recommend that you continue to use Security Hub for more specialized views into your security posture.
Prerequisites
To get started, confirm that Security Hub and Systems Manager are enabled in your account.
To enable Security Hub in your account, follow the steps in Setting up AWS Security Hub in the AWS Security Hub User Guide.
To enable Systems Manager, follow the steps in the Manage instances using AWS Systems Manager Quick Setup blog post. If you want to customize Systems Manager beyond the quick setup, see Setting up AWS Systems Manager in the AWS Systems Manager User Guide.
Enable security findings in Security Hub
The AWS Foundational Security Best Practices standard are a set of controls that detect when your AWS accounts and resources deviate from security best practices. In this post, we focus on the S3.2 control that checks whether your S3 buckets allow public read access, but you can use this approach for nearly all Security Hub findings.
Figure 1 shows an S3 bucket named ****-cloudfront has failed a check (it allows public read access).
Figure 1: Security Hub finding for public S3 bucket
To investigate these failed checks, enable integration between Security Hub and Systems Manager, view findings with Explorer, and then investigate a finding through the automatically created OpsItem. Lastly, remediate the issue in OpsCenter and see how the finding is updated through the bidirectional integration.
Enable integration through Systems Manager Explorer
You can configure the integration between Security Hub and Systems Manager in Systems Manager Explorer and Systems Manager OpsCenter. When you edit the configuration in one console page, you immediately see the change in the other page.
To enable the integration through Systems Manager Explorer, from the left navigation pane of the Systems Manager console, choose Explorer and then choose Settings. Choose Dashboard actions or Configure dashboard. On Configure OpsData sources and widgets, under OpsData sources, choose Security Hub. For more information about the Explorer dashboard and how to resize, filter, and move widgets, see Customizing the display and using filters in the AWS Systems Manager User Guide.
Figure 2: Enable Security Hub widget
When you enable the Security Hub source, two additional areas are displayed on the console page, as shown in Figure 2. These areas allow you to enable the widget and specify when OpsItems are created. All critical and high-severity findings create OpsItems, but you must enable the creation of OpsItems for medium and low-severity findings.
Systems Manager managed rule
When you enable the data source, Systems Manager creates an Amazon EventBridge rule that creates OpsItems. This managed rule maps the Security Hub finding to an OpsItem and enables the bidirectional synchronization of status and severity fields. Unlike EventBridge rules that you create, this rule is read-only and managed by AWS.
Integration between OpsCenter and Security Hub
To view the OpsCenter configuration, from the left navigation pane of the Systems Manager console, choose OpsCenter and then choose OpsItems.
Choose Configure sources and scroll down to Security Hub findings. You’ll see in Figure 3 that although the presentation is different, it includes the same information. Choose Edit to make changes.
Figure 3: Viewing configuration for Security Hub findings
Because you have now successfully integrated Security Hub with Systems Manager, OpsItems will be created from the findings. It might take several hours for those findings to be synchronized.
View the Security Hub findings widget
Figure 4 shows how the new widget is displayed in Explorer. There is a graphical representation of the number of findings and a numerical count for each severity level. Findings of all severity levels, including informational, are displayed on this widget, but OpsItems are created only for the high and critical levels and optionally for medium and low.
Figure 4: Security Hub Explorer widget
To go to a list of the findings, click the finding with a critical severity. You can change the filtering to include other severities. For each finding, you can view title, severity, source, and category. If an OpsItem has been created, you can click a link to view details in OpsCenter.
Figure 5: Summary list of Security Hub findings filtered by severity
View OpsItems in OpsCenter
The summary table doesn’t provide many finding details, but you can click the OpsItem link for more information.
Figure 6 shows the OpsItem details, including title, description, status, and severity.
Figure 6: OpsItem for public S3 bucket
Figure 7 shows that the OpsItem details include a list of related resources. These are taken directly from the finding. You can view the resources displayed here to get a better understanding of the operational environment. Click the links to see details like Amazon CloudWatch metrics or to open the console associated with the resource.
Figure 7: Security Hub Explorer widget
Remediate a Security Hub finding
To remediate this issue, you could manually update the bucket to remove public access, but this approach isn’t scalable or easy to track. It’s better to trigger a runbook from the OpsItem so you have a record (who, when, and what) of the remediation effort.
To run an automation runbook against the S3 bucket, select Related resource details tab and the associated S3 bucket. As seen in Figure 8, from the Run automation dropdown, select the automation called AWS-DisableS3BucketPublicReadWrite.
Figure 8: Selecting automation document for the related resource test bucket
Confirm the S3BucketName and choose Execute. The runbook will remove the unrestricted access. As Figure 9 shows, the runbook history has been updated. This audit history is helpful for understanding the actions that have been taken for this OpsItem.
Figure 9: OpsItem detail showing runbook history
Confirm the remediation
To confirm that the public access has been removed, view the bucket in the Amazon S3 console.
Figure 10: S3 bucket is not public
Confirm the finding is resolved
When you open the Security Hub console, you should see that the bucket is no longer public and the finding has been resolved.
Figure 11: Security Hub found no public S3 buckets
Confirm the OpsItem is resolved
Finally, when you return to the OpsItem, you should see that the status has been updated to Resolved.
Figure 12: OpsItem detail showing status of resolved
Conclusion
In this post, we showed you the new bidirectional integration between Security Hub and Systems Manager OpsCenter, a feature that enables the automatic creation of OpsItems for Security Hub findings. When you use this feature, you bring issues into a single location to better understand the state of your environment.
Using the example of a publicly accessible S3 bucket, we showed you how to view the details for a Security Hub finding in OpsCenter and how to resolve the issue using a runbook. By using Automation runbooks for remediation, you have a consistent and reproducible mechanism for resolving operational issues. For more information about this feature, see the What’s New post, the AWS Systems Manager User Guide and the AWS Security Hub User Guide.