By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Security Hub log findings

0

The CIS benchmark is flagging child accounts that are configured to forward logs to a dedicated log account within the same organization as not having logging configured properly. Would the best practice here be to suppress the log related findings on those accounts and create a custom config rule to look for accounts that do not have log forwarding configured?

Second question:

Is it possible to modify CIS benchmark SNS notifications to include more verbose logdata or does that require a Security hub Finding custom action event? Specifically the customer is looking for the log data that triggered the event to be in the email, rather than having to go to the security hub dashboard. Example, CIS-3.1-UnauthorizedAPICalls - can the log that triggered the threshold be included in the SNS message? I can't seem to locate in the security hub documentation if this is possible without using Cloudwatch events custom findings.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Security HubAmazon CloudWatch
Language
English
AWS
Mike_C
asked 4 years ago815 views
1 Answer
0
Accepted Answer

Please see the answer to your questions below:

Q1. For customers with central logging they can disable the CIS 3.x checks in all child accounts that are pushing logs to a centeral account and only have these checks in the central logging account see - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis-to-disable.html

CIS 2.1 and FSBP [Cloudtrail.1]– Checks if cloudtrail is enabled in all regions and if a multiregion cloud trail exists respectively. As best practice customers should have an org trail (which is enabled on all accounts in the organization by default). If the customer is not using an org trail i.e they have centrall logging configured which involves manually adding account to the central trail then they will need a way to audit accounts that are not forwarding to the central trail using a custom rule.

Q2. For CIS 3.x this is only checking if the filters/alrams are in place. As far as I know, If the customer wants details on the activity that triggered the alarm, they will need to use CWE custom findings and transforms. I hope this helps!

AWS
AWS-User-7741164
answered 4 years ago
profile picture
EXPERT
Sedat Salman
reviewed 6 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content