Closed sablumiah closed 2 years ago
@sablumiah says AWS Security Hub is not enabled after all?
AWS Security Hub is actually not enabled yet as there is an prereq of having AWS Config enabled in London. https://app.zenhub.com/workspaces/cloud-platform-team-5ccb0b8a81f66118c983c189/issues/ministryofjustice/cloud-platform/2248
Module we have in MOJ that could be used: https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/tree/main/modules/config
Security Hub Managed Centrally: https://github.com/ministryofjustice/aws-root-account/blob/main/terraform/securityhub.tf
This ticket is blocked waiting for #2248
Security Findings on Resources 08/11/2021
- London Critical
- London High
- Ireland Critical
- Ireland High
Potential alerts from above documents:
![Screen Shot 2021-11-22 at 11.18.50 (2).png] (https://images.zenhubusercontent.com/5cd14e317c13c23a96974cd5/a97968bd-c1a1-42d1-af09-6f4158e74cd5)
Basically I tried to restrict events - and therefore alerting to "Critical" by using online suggestion event pattern:
{
"detail-type": ["Security Hub Findings - Imported"],
"source": ["aws.securityhub"],
"detail": {
"findings": {
"Severity": {
"Label": ["CRITICAL"]
},
"Workflow": {
"Status": ["NEW"]
}
}
}
}
However this did not seem to work as pagerduty was bombarded with all status alerts + they were repeated every 10 minutes or so. In other words we were being swamped with alerts!
Demo given 26/11/2021. Need to take a closer look at the various "Security Hub" alerts - as to which ones we should alert on. Will raise a ticket. Potential Alerts here: https://docs.google.com/spreadsheets/d/1gwSfcntNCFrd2CgXs-KqRak3-nO_EqXC/edit#gid=401282829
Background
For when AWS Security Hub is enabled in AWS accounts (DSD, CP and CP Ephemeral)
This ticket is created to explore if there are any alerts we can/should create and where those alarms could possibly go. e.g. low-priority-alamrs. Also if any default alarms are too noisy do we turn any off.
https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc
Definition of done