AWS Security Hub Enabled - Look into possible alerting

[sablumiah]

Background

For when AWS Security Hub is enabled in AWS accounts (DSD, CP and CP Ephemeral)

This ticket is created to explore if there are any alerts we can/should create and where those alarms could possibly go. e.g. low-priority-alamrs. Also if any default alarms are too noisy do we turn any off.

https://aws.amazon.com/security-hub/?aws-security-hub-blogs.sort-by=item.additionalFields.createdDate&aws-security-hub-blogs.sort-order=desc

Definition of done

• [ ] Firebreak finding documented appropriately
• [ ] Demo completed
• [ ] Decision made on whether to progress Firebreak work
• [ ] Firebreak next step Issues created
• [ ] New Issues referenced in this story before closure

[davidread]

@sablumiah says AWS Security Hub is not enabled after all?

[sablumiah]

AWS Security Hub is actually not enabled yet as there is an prereq of having AWS Config enabled in London. https://app.zenhub.com/workspaces/cloud-platform-team-5ccb0b8a81f66118c983c189/issues/ministryofjustice/cloud-platform/2248

Module we have in MOJ that could be used: https://github.com/ministryofjustice/modernisation-platform-terraform-baselines/tree/main/modules/config

Security Hub Managed Centrally: https://github.com/ministryofjustice/aws-root-account/blob/main/terraform/securityhub.tf

[davidread]

This ticket is blocked waiting for #2248

[pwyborn]

Security Findings on Resources 08/11/2021

- London Critical

• S3.2 S3 buckets should prohibit public read access
• 1.14 Ensure hardware MFA is enabled for the "root" account
• 1.12 Ensure no root account access key exists
• IAM.4 IAM root user access key should not exist
• ES.2 Elasticsearch domains should be in a VPC
• KMS.3 AWS KMS keys should not be deleted unintentionally

- London High

• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• 4.3 Ensure the default security group of every VPC restricts all traffic
• EC2.2 The VPC default security group should not allow inbound and outbound traffic
• EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• 4.3 Ensure the default security group of every VPC restricts all traffic
• EC2.2 The VPC default security group should not allow inbound and outbound traffic
• EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports
• S3.8 S3 Block Public Access setting should be enabled at the bucket-level
• S3.6 S3 permissions granted to other AWS accounts in bucket policies should be restricted
• 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
• EC2.9 EC2 instances should not have a public IPv4 address
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• EC2.19 Security groups should not allow unrestricted access to ports with high risk
• EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports
• 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• EC2.2 The VPC default security group should not allow inbound and outbound traffic
• 4.3 Ensure the default security group of every VPC restricts all traffic
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• 4.3 Ensure the default security group of every VPC restricts all traffic
• EC2.2 The VPC default security group should not allow inbound and outbound traffic
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)

- Ireland Critical

• 1.14 Ensure hardware MFA is enabled for the "root" account
• IAM.4 IAM root user access key should not exist

- Ireland High

• 4.3 Ensure the default security group of every VPC restricts all traffic
• EC2.2 The VPC default security group should not allow inbound and outbound traffic
• 4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
• 4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
• EC2.19 Security groups should not allow unrestricted access to ports with high risk
• EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)
• EC2.9 EC2 instances should not have a public IPv4 address
• EC2.18 Security groups should only allow unrestricted incoming traffic for authorized ports

[pwyborn]

2 main source documents: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html

https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html

[pwyborn]

Potential alerts from above documents:

• [ACM.1] Imported ACM certificates should be renewed after a specified time period
• [APIGateway.1] API Gateway REST and WebSocket API logging should be enabled
• [APIGateway.2] API Gateway REST API stages should be configured to use SSL certificates for backend authentication
• [APIGateway.3] API Gateway REST API stages should have AWS X-Ray tracing enabled
• [APIGateway.4] API Gateway should be associated with an AWS WAF web ACL
• [APIGateway.5] API Gateway REST API cache data should be encrypted at rest
• [AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
• [CloudFront.1] CloudFront distributions should have a default root object configured
• [CloudFront.2] CloudFront distributions should have origin access identity enabled
• [CloudFront.3] CloudFront distributions should require encryption in transit
• [CloudFront.4] CloudFront distributions should have origin failover configured
• [CloudFront.5] CloudFront distributions should have logging enabled
• [CloudFront.6] CloudFront distributions should have AWS WAF enabled
• [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail
• [CloudTrail.2] CloudTrail should have encryption at rest enabled
• [CloudTrail.4] Ensure CloudTrail log file validation is enabled
• [CloudTrail.5] Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
• [CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
• [Config.1] AWS Config should be enabled
• [DMS.1] AWS Database Migration Service replication instances should not be public
• [DynamoDB.1] DynamoDB tables should automatically scale capacity with demand
• [DynamoDB.2] DynamoDB tables should have point-in-time recovery enabled
• [DynamoDB.3] DynamoDB Accelerator (DAX) clusters should be encrypted at rest
• [EC2.1] Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone
• [EC2.10] Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service
• [EC2.15] EC2 subnets should not automatically assign public IP addresses
• [EC2.16] Unused network access control lists should be removed
• [EC2.17] EC2 instances should not use multiple ENIs
• [EC2.18] Security groups should only allow unrestricted incoming traffic for authorized ports
• [EC2.19] Security groups should not allow unrestricted access to ports with high risk
• [EC2.2] The VPC default security group should not allow inbound and outbound traffic
• [EC2.3] Attached EBS volumes should be encrypted at rest
• [EC2.4] Stopped EC2 instances should be removed after a specified time period
• [EC2.6] VPC flow logging should be enabled in all VPCs
• [EC2.7] EBS default encryption should be enabled
• [EC2.8] EC2 instances should use IMDSv2
• [EC2.9] EC2 instances should not have a public IP address
• [ECS.1] Amazon ECS task definitions should have secure networking modes and user definitions
• [ECS.2] Amazon ECS services should not have public IP addresses assigned to them automatically
• [EFS.1] Amazon EFS should be configured to encrypt file data at rest using AWS KMS
• [EFS.2] Amazon EFS volumes should be in backup plans
• [ElasticBeanstalk.1] Elastic Beanstalk environments should have enhanced health reporting enabled
• [ElasticBeanstalk.2] Elastic Beanstalk managed platform updates should be enabled
• [ELB.2] Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager
• [ELB.3] Classic Load Balancer listeners should be configured with HTTPS or TLS termination
• [ELB.4] Application load balancers should be configured to drop HTTP headers
• [ELB.5] Application and Classic Load Balancers logging should be enabled
• [ELB.6] Application Load Balancer deletion protection should be enabled
• [ELB.7] Classic Load Balancers should have connection draining enabled
• [ELB.8] Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration
• [ELBv2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
• [EMR.1] Amazon EMR cluster master nodes should not have public IP addresses
• [ES.1] Elasticsearch domains should have encryption at rest enabled
• [ES.2] Elasticsearch domains should be in a VPC
• [ES.3] Elasticsearch domains should encrypt data sent between nodes
• [ES.4] Elasticsearch domain error logging to CloudWatch Logs should be enabled
• [ES.5] Elasticsearch domains should have audit logging enabled
• [ES.6] Elasticsearch domains should have at least three data nodes
• [ES.7] Elasticsearch domains should be configured with at least three dedicated master nodes
• [ES.8] Connections to Elasticsearch domains should be encrypted using TLS 1.2
• [GuardDuty.1] GuardDuty should be enabled
• [IAM.1] IAM policies should not allow full "*" administrative privileges
• [IAM.2] IAM users should not have IAM policies attached
• [IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services
• [IAM.3] IAM users' access keys should be rotated every 90 days or less
• [IAM.4] IAM root user access key should not exist
• [IAM.5] MFA should be enabled for all IAM users that have a console password
• [IAM.6] Hardware MFA should be enabled for the root user
• [IAM.7] Password policies for IAM users should have strong configurations
• [IAM.8] Unused IAM user credentials should be removed
• [KMS.1] IAM customer managed policies should not allow decryption actions on all KMS keys
• [KMS.2] IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys
• [KMS.3] AWS KMS keys should not be unintentionally deleted
• [Lambda.1] Lambda function policies should prohibit public access
• [Lambda.2] Lambda functions should use supported runtimes
• [Lambda.4] Lambda functions should have a dead-letter queue configured (Retired)
• [PCI.AutoScaling.1] Auto Scaling groups associated with a load balancer should use health checks
• [PCI.CloudTrail.1] CloudTrail logs should be encrypted at rest using AWS KMS keys
• [PCI.CloudTrail.2] CloudTrail should be enabled
• [PCI.CloudTrail.3] CloudTrail log file validation should be enabled
• [PCI.CloudTrail.4] CloudTrail trails should be integrated with CloudWatch Logs
• [PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth
• [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials
• [PCI.Config.1] AWS Config should be enabled
• [PCI.CW.1] A log metric filter and alarm should exist for usage of the "root" user
• [PCI.DMS.1] AWS Database Migration Service replication instances should not be public
• [PCI.EC2.1] Amazon EBS snapshots should not be publicly restorable
• [PCI.EC2.2] VPC default security group should prohibit inbound and outbound traffic
• [PCI.EC2.3] Unused EC2 security groups should be removed (Retired)
• [PCI.EC2.4] Unused EC2 EIPs should be removed
• [PCI.EC2.5] Security groups should not allow ingress from 0.0.0.0/0 to port 22
• [PCI.EC2.6] VPC flow logging should be enabled in all VPCs
• [PCI.ELBV2.1] Application Load Balancer should be configured to redirect all HTTP requests to HTTPS
• [PCI.ES.1] Elasticsearch domains should be in a VPC
• [PCI.ES.2] Elasticsearch domains should have encryption at rest enabled
• [PCI.GuardDuty.1] GuardDuty should be enabled
• [PCI.IAM.1] IAM root user access key should not exist
• [PCI.IAM.2] IAM users should not have IAM policies attached
• [PCI.IAM.3] IAM policies should not allow full "*" administrative privileges
• [PCI.IAM.4] Hardware MFA should be enabled for the root user
• [PCI.IAM.5] Virtual MFA should be enabled for the root user
• [PCI.IAM.6] MFA should be enabled for all IAM users
• [PCI.IAM.7] IAM user credentials should be disabled if not used within a predefined number of days
• [PCI.IAM.8] Password policies for IAM users should have strong configurations
• [PCI.KMS.1] KMS key rotation should be enabled
• [PCI.Lambda.1] Lambda functions should prohibit public access
• [PCI.Lambda.2] Lambda functions should be in a VPC
• [PCI.RDS.1] RDS snapshots should prohibit public access
• [PCI.RDS.2] RDS DB Instances should prohibit public access
• [PCI.Redshift.1] Amazon Redshift clusters should prohibit public access
• [PCI.S3.1] S3 buckets should prohibit public write access
• [PCI.S3.2] S3 buckets should prohibit public read access
• [PCI.S3.3] S3 buckets should have cross-region replication enabled
• [PCI.S3.4] S3 buckets should have server-side encryption enabled
• [PCI.S3.5] S3 buckets should require requests to use Secure Socket Layer
• [PCI.S3.6] S3 Block Public Access setting should be enabled
• [PCI.SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access
• [PCI.SSM.1] Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
• [PCI.SSM.2] Instances managed by Systems Manager should have an association compliance status of COMPLIANT
• [PCI.SSM.3] EC2 instances should be managed by AWS Systems Manager
• [RDS.1] RDS snapshots should be private
• [RDS.10] IAM authentication should be configured for RDS instances
• [RDS.12] IAM authentication should be configured for RDS clusters
• [RDS.13] RDS automatic minor version upgrades should be enabled
• [RDS.14] Amazon Aurora clusters should have backtracking enabled
• [RDS.15] RDS DB clusters should be configured for multiple Availability Zones
• [RDS.16] RDS DB clusters should be configured to copy tags to snapshots
• [RDS.17] RDS DB instances should be configured to copy tags to snapshots
• [RDS.18] RDS instances should be deployed in a VPC
• [RDS.19] An RDS event notifications subscription should be configured for critical cluster events
• [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
• [RDS.20] An RDS event notifications subscription should be configured for critical database instance events
• [RDS.21] An RDS event notifications subscription should be configured for critical database parameter group events
• [RDS.22] An RDS event notifications subscription should be configured for critical database security group events
• [RDS.23] RDS databases and clusters should not use a database engine default port
• [RDS.3] RDS DB instances should have encryption at rest enabled
• [RDS.4] RDS cluster snapshots and database snapshots should be encrypted at rest
• [RDS.5] RDS DB instances should be configured with multiple Availability Zones
• [RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters
• [RDS.7] RDS clusters should have deletion protection enabled
• [RDS.8] RDS DB instances should have deletion protection enabled
• [RDS.9] Database logging should be enabled
• [Redshift.1] Amazon Redshift clusters should prohibit public access
• [Redshift.2] Connections to Amazon Redshift clusters should be encrypted in transit
• [Redshift.3] Amazon Redshift clusters should have automatic snapshots enabled
• [Redshift.4] Amazon Redshift clusters should have audit logging enabled
• [Redshift.6] Amazon Redshift should have automatic upgrades to major versions enabled
• [Redshift.7] Amazon Redshift clusters should use enhanced VPC routing
• [S3.1] S3 Block Public Access setting should be enabled
• [S3.2] S3 buckets should prohibit public read access
• [S3.3] S3 buckets should prohibit public write access
• [S3.4] S3 buckets should have server-side encryption enabled
• [S3.5] S3 buckets should require requests to use Secure Socket Layer
• [S3.6] Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted
• [S3.8] S3 Block Public Access setting should be enabled at the bucket level
• [SageMaker.1] SageMaker notebook instances should not have direct internet access
• [SecretsManager.1] Secrets Manager secrets should have automatic rotation enabled
• [SecretsManager.2] Secrets Manager secrets configured with automatic rotation should rotate successfully
• [SecretsManager.3] Remove unused Secrets Manager secrets
• [SecretsManager.4] Secrets Manager secrets should be rotated within a specified number of days
• [SNS.1] SNS topics should be encrypted at rest using AWS KMS
• [SQS.1] Amazon SQS queues should be encrypted at rest
• [SSM.1] EC2 instances should be managed by AWS Systems Manager
• [SSM.2] All EC2 instances managed by Systems Manager should be compliant with patching requirements
• [SSM.3] Instances managed by Systems Manager should have an association compliance status of COMPLIANT
• [SSM.4] SSM documents should not be public
• [WAF.1] AWS WAF Classic global web ACL logging should be enabled
• 1.1 – Avoid the use of the "root" account
• 1.10 – Ensure IAM password policy prevents password reuse
• 1.11 – Ensure IAM password policy expires passwords within 90 days or less
• 1.12 – Ensure no root account access key exists
• 1.13 – Ensure MFA is enabled for the "root" account
• 1.14 – Ensure hardware MFA is enabled for the "root" account
• 1.16 – Ensure IAM policies are attached only to groups or roles
• 1.2 – Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a - console password
• 1.20 - Ensure a support role has been created to manage incidents with AWS Support
• 1.22 – Ensure IAM policies that allow full ":" administrative privileges are not created
• 1.3 – Ensure credentials unused for 90 days or greater are disabled
• 1.4 – Ensure access keys are rotated every 90 days or less
• 1.5 – Ensure IAM password policy requires at least one uppercase letter
• 1.6 – Ensure IAM password policy requires at least one lowercase letter
• 1.7 – Ensure IAM password policy requires at least one symbol
• 1.8 – Ensure IAM password policy requires at least one number
• 1.9 – Ensure IAM password policy requires a minimum length of 14 or greater
• 2.1 – Ensure CloudTrail is enabled in all Regions
• 2.2. – Ensure CloudTrail log file validation is enabled
• 2.3 – Ensure the S3 bucket CloudTrail logs to is not publicly accessible
• 2.4 – Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
• 2.5 – Ensure AWS Config is enabled
• 2.6 – Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
• 2.7 – Ensure CloudTrail logs are encrypted at rest using AWS KMS keys
• 2.8 – Ensure rotation for customer-created KMS keys is enabled
• 2.9 – Ensure VPC flow logging is enabled in all VPCs
• 3.1 – Ensure a log metric filter and alarm exist for unauthorized API calls
• 3.10 – Ensure a log metric filter and alarm exist for security group changes
• 3.11 – Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)
• 3.12 – Ensure a log metric filter and alarm exist for changes to network gateways
• 3.13 – Ensure a log metric filter and alarm exist for route table changes
• 3.14 – Ensure a log metric filter and alarm exist for VPC changes
• 3.2 – Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA
• 3.3 – Ensure a log metric filter and alarm exist for usage of "root" account
• 3.4 – Ensure a log metric filter and alarm exist for IAM policy changes
• 3.5 – Ensure a log metric filter and alarm exist for CloudTrail configuration changes
• 3.6 – Ensure a log metric filter and alarm exist for AWS Management Console authentication failures
• 3.7 – Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys
• 3.8 – Ensure a log metric filter and alarm exist for S3 bucket policy changes
• 3.9 – Ensure a log metric filter and alarm exist for AWS Config configuration changes
• 4.1 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
• 4.2 – Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
• 4.3 – Ensure the default security group of every VPC restricts all traffic

[pwyborn]

![Screen Shot 2021-11-22 at 11.18.50 (2).png] (https://images.zenhubusercontent.com/5cd14e317c13c23a96974cd5/a97968bd-c1a1-42d1-af09-6f4158e74cd5)

[pwyborn]

Basically I tried to restrict events - and therefore alerting to "Critical" by using online suggestion event pattern:

{
  "detail-type": ["Security Hub Findings - Imported"],
  "source": ["aws.securityhub"],
  "detail": {
    "findings": {
      "Severity": {
        "Label": ["CRITICAL"]
      },
      "Workflow": {
        "Status": ["NEW"]
      }
    }
  }
}

However this did not seem to work as pagerduty was bombarded with all status alerts + they were repeated every 10 minutes or so. In other words we were being swamped with alerts!

[pwyborn]

Demo given 26/11/2021. Need to take a closer look at the various "Security Hub" alerts - as to which ones we should alert on. Will raise a ticket. Potential Alerts here: https://docs.google.com/spreadsheets/d/1gwSfcntNCFrd2CgXs-KqRak3-nO_EqXC/edit#gid=401282829

[pwyborn]

New ticket - https://github.com/ministryofjustice/cloud-platform/issues/3384