reference deployment

This Quick Start is no longer available

Here are a few links that might be helpful:

AWS Security Hub

Last year, Accenture released the Center for Internet Security (CIS) Amazon Web Services (AWS) Foundations Benchmark Quick Start. The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their security.

Now, AWS Security Hub is out of preview and is available for general use to help you understand the state of your security in the AWS Cloud. Security Hub supports the CIS AWS Foundations standard. Security Hub has satisfied the requirements of CIS Security Software Certification and has been awarded CIS Security Software Certification for the following CIS Benchmarks:

  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 1
  • CIS Benchmark for CIS Amazon Web Services Foundations Benchmark, v1.2.0, Level 2

Because of the release of Security Hub, the CIS Benchmark Quick Start has been removed from the Quick Start catalog. As a general release product, Security Hub is able to provide support for CIS Benchmarks that are critical for evaluating an organization’s security posture. Quick Starts are maintained by a partner at a best effort. Some additional reasons why Security Hub should be used to implement CIS Benchmarks:

  • Security Hub also aggregates and normalizes data from a variety of services. It is a central resource for findings from AWS Guard Duty, Amazon Inspector, Amazon Macie, and from 30 AWS partner security solutions.
  • Security Hub supports the AWS Security Finding Format that will easily allow third-party product integrations to support CIS Benchmark alerts.
  • Security Hub can integrate with response and remediation workflows through the use of custom actions.
  • Security Hub supports leading notification and remediation vendors, including ServiceNow, PagerDuty, Atlassian, Demisto, and Rapid7.

Important considerations when deploying Security Hub for CIS Benchmarks

Cross-Region processing isn't supported for the CIS AWS Foundations standard in Security Hub. In other words, if you enable Security Hub (and consequently this standard in Security Hub) in one Region and a resource that it checks is located in another Region, the return value for such check is Failed. You must enable Security Hub in all AWS Regions to be fully compliant with CIS AWS Foundations Benchmark checks.

If you enable AWS Config in your Security Hub master account, this doesn't automatically enable AWS Config in the Security Hub member accounts for this master account. If you want Security Hub to generate findings against the compliance rules in the CIS AWS Foundations standard for the resources in a Security Hub member account, you must enable AWS Config in that member account. For details, see the AWS Security Hub user guide.

AWS Security Hub is an essential tool for providing visibility in AWS. A 30-day free trial is available so you can try it out and get an estimate of what your costs would be.