Security Hub log findings
The CIS benchmark is flagging child accounts that are configured to forward logs to a dedicated log account within the same organization as not having logging configured properly. Would the best practice here be to suppress the log related findings on those accounts and create a custom config rule to look for accounts that do not have log forwarding configured?
Second question:
Is it possible to modify CIS benchmark SNS notifications to include more verbose logdata or does that require a Security hub Finding custom action event? Specifically the customer is looking for the log data that triggered the event to be in the email, rather than having to go to the security hub dashboard. Example, CIS-3.1-UnauthorizedAPICalls - can the log that triggered the threshold be included in the SNS message? I can't seem to locate in the security hub documentation if this is possible without using Cloudwatch events custom findings.
- 최신
- 최다 투표
- 가장 많은 댓글
Please see the answer to your questions below:
Q1. For customers with central logging they can disable the CIS 3.x checks in all child accounts that are pushing logs to a centeral account and only have these checks in the central logging account see - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html
CIS 2.1 and FSBP [Cloudtrail.1]– Checks if cloudtrail is enabled in all regions and if a multiregion cloud trail exists respectively. As best practice customers should have an org trail (which is enabled on all accounts in the organization by default). If the customer is not using an org trail i.e they have centrall logging configured which involves manually adding account to the central trail then they will need a way to audit accounts that are not forwarding to the central trail using a custom rule.
Q2. For CIS 3.x this is only checking if the filters/alrams are in place. As far as I know, If the customer wants details on the activity that triggered the alarm, they will need to use CWE custom findings and transforms. I hope this helps!
