Security Hub Findings with Organizations

0

Here's my setup. I have four accounts - a management account and three member accounts for security, dev, and production. In the process of setting up my organization I've configured organization and region wide services including Cloudtrail, Config, Security Hub etc... I've delegated administration of each of these services to the security account. In Security Hub on the security account I've also aggregated all the regions. I have a group of findings that I'm a bit unclear about - the Amazon CloudWatch controls that generally begin with "A log metric filter and alarm should exist for...". I have a multi-region trail created by the security account (the delegated admin) that is applied to the organization and enabled for all accounts. I've enabled CloudWatch logs for this trail and set up log group metric filters for each of the findings. Each of these metrics is configured with an alarm which triggers an SNS topic. Since the cloudtrail trail is multi-region and covers the entire organization it seems this setup should satisfy the Amazon CloudWatch controls findings in not only the security group account, but in each of the other member accounts and management account. The member accounts as well as the security account do appear to be satisfied - though they've gone into an Archived state as opposed to passing the control. The findings on the management account, however, are still Active and Failing compliance. What should I be doing to get the management account findings to match with those of the other accounts? Further, should I be concerned that these have become Archived without passing compliance? Any help would be greatly appreciated.

1 Answer
1
Accepted Answer

So those findings are coming from the CIS AWS Foundations Benchmark controls. The goal of these controls are to detect and alert you when potentially risky activity/configuration changes occur. When Security Hub performs the check for some of these controls, it looks for CloudTrail trails that the current account uses. These trails might be organization trails that belong to another account. Multi-Region trails also might be based in a different Region.

The check results in FAILED findings in the following cases:

No trail is configured.

The available trails that are in the current Region and that are owned by current account do not meet the control requirements.

The check results in a control status of NO_DATA in the following cases:

A multi-Region trail is based in a different Region. Security Hub can only generate findings in the Region where the trail is based.

A multi-Region trail belongs to a different account. Security Hub can only generate findings for the account that owns the trail.

AWS recommends organization trails to log events from many accounts in an organization. Organization trails are multi-Region trails by default and can only be managed by the AWS Organizations management account or the CloudTrail delegated administrator account. Using an organization trail results in a control status of NO_DATA for controls evaluated in organization member accounts. In member accounts, Security Hub only generates findings for member-owned resources. Findings that pertain to organization trails are generated in the resource owner's account. You can see these findings in your Security Hub delegated administrator account by using cross-Region aggregation.

For the alarm, the current account must either own the referenced Amazon SNS topic, or must get access to the Amazon SNS topic by calling ListSubscriptionsByTopic. Otherwise Security Hub generates WARNING findings for the control.

If I had to guess, that management account finding is generating because the current account doesn't own or have access to the SNS topic needed. Most of this info is available by looking through the controls here: https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html

Archiving a finding indicates that the finding provider believes that the finding is no longer relevant. I wouldn't be concerned, as Security Hub does this from time to time. Look into the CloudWatch configurations and ensure they satisfy the CIS Controls for peace of mind.

profile pictureAWS
MikeAWS
answered a year ago
profile picture
EXPERT
reviewed 5 months ago
profile pictureAWS
EXPERT
reviewed a year ago
  • So I played around with some settings but I'm still stuck. My management account is still getting a FAILED check in Security Hub for all of the CloudWatch controls; all of which require CloudTrail, CloudWatch log metrics and alarms, and an SNS topic to handle an alarm. My security account is the delegated administrator for multiple services, including CloudTrail. This CloudTrail is a multi-region trail and covers all accounts in the organization. As an organizational trail the management account still maintains ownership of the trail. However, all the logging is aggregated in the security account. When I completed the setup of the trail, created the required metrics and alarms in CloudWatch, and set the alarms to trigger the necessary SNS topic the CloudWatch controls in Security Hub appeared to be satisfied for the security account (in which all the services were configured) and both the production and development accounts (which were covered as part of the organization). The Security Hub controls for the management account, however, remain unsatisfied. I have tested my setup - taking various actions on the management account that should theoretically trigger a CloudWatch alarm in the security account and, indeed, the entire cross account process works as expected. So I remain stuck as to why this one particular account isn't satisfied. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions