Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Security Hub log findings

0

The CIS benchmark is flagging child accounts that are configured to forward logs to a dedicated log account within the same organization as not having logging configured properly. Would the best practice here be to suppress the log related findings on those accounts and create a custom config rule to look for accounts that do not have log forwarding configured?

Second question:

Is it possible to modify CIS benchmark SNS notifications to include more verbose logdata or does that require a Security hub Finding custom action event? Specifically the customer is looking for the log data that triggered the event to be in the email, rather than having to go to the security hub dashboard. Example, CIS-3.1-UnauthorizedAPICalls - can the log that triggered the threshold be included in the SNS message? I can't seem to locate in the security hub documentation if this is possible without using Cloudwatch events custom findings.

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Hub di sicurezza AWSAmazon CloudWatch
Lingua
English
AWS
Mike_C
posta 4 anni fa847 visualizzazioni
1 Risposta
1
Risposta accettata

Please see the answer to your questions below:

Q1. For customers with central logging they can disable the CIS 3.x checks in all child accounts that are pushing logs to a centeral account and only have these checks in the central logging account see - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html

CIS 2.1 and FSBP [Cloudtrail.1]– Checks if cloudtrail is enabled in all regions and if a multiregion cloud trail exists respectively. As best practice customers should have an org trail (which is enabled on all accounts in the organization by default). If the customer is not using an org trail i.e they have centrall logging configured which involves manually adding account to the central trail then they will need a way to audit accounts that are not forwarding to the central trail using a custom rule.

Q2. For CIS 3.x this is only checking if the filters/alrams are in place. As far as I know, If the customer wants details on the activity that triggered the alarm, they will need to use CWE custom findings and transforms. I hope this helps!

AWS
AWS-User-7741164
con risposta 4 anni fa
profile picture
ESPERTO
Oleksii Bebych
verificato un giorno fa
profile picture
ESPERTO
Sedat Salman
verificato 6 mesi fa
profile picture
ESPERTO
Antonio_Lagrotteria
verificato 7 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente