Security Hub Findings don't match Guard Duty findings

Question

Per the recommendations from the Security pillar of a Well Architected Review conducted on our accounts, our company enabled Security Hub for a centralized view of security findings and Guard Duty for specific threat detection to our workloads that are dependent on EC2 and S3. We enabled both services at the AWS Organizations level. For Security Hub, we decided to start off with the AWS Foundation Security Best Practices v1 and CISD AWS Foundations Benchmark v1.2 controls enabled. For Guard Duty, we decided to start off with the default offerings plus the S3 Protection plan.

We allowed any potential findings to aggregate from all our accounts and post to both Security Hub and Guard Duty for our review. We noticed findings that appeared in Security Hub did not appear in Guard Duty. I'm trying to understand why there would be a discrepancy in what is reflected in the Security Hub vs Guard Duty.

For reference:
- In the Security Hub findings, we see a medium severity mark stating S3 bucket server access logging should be enabled, however, in Guard Duty there is no mention of this even with the S3 protection plan on.

Why is this?

Accepted Answer

Hello,

First, I think it’s worth noting the features and intended use between AWS Security Hub and Amazon GuardDuty:

- AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation.
- Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation

GuardDuty can be integrated into Security Hub so that findings generated by GuardDuty can be aggregated into Security Hub for centralized viewing (along with any other enabled security services). Please reference [Product integrations in AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html) and you can take further action.

With regard to the S3 finding you referenced, please see the Amazon S3 Controls for Security Hub, specifically [S3.9 - S3 bucket server access logging should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#:~:text=%5BS3.9%5D%20S3%20bucket,User%20Guide.).

Also, please note this is an S3 control you are being notified to action on, per the [AWS Foundational Security Best Practices v1](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html#:~:text=%5BS3.9%5D%20S3%20bucket%20server%20access%20logging%20should%20be%20enabled) standard you enabled in Security Hub.

For GuardDuty, expect to see any of the following should GuardDuty detect suspicious behavior for your S3 buckets - [GuardDuty S3 finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html).

If you are unsure of which source a finding originated from in Security Hub, you can do the following:
1.  Log into your AWS account that is serving as the delegated security administrator for Security Hub
2. Navigate to the Security Hub console
3. Select the Findings link on the far left
4.  Look for the Product filter and you will see the source/service of where a finding originated from

Hope this helps!

Answer

Guard duty is an intelligent threat detection service where it monitors things such as DNS request logs, VPC Flow logs, CloudTrail event logs etc.

The S3 bucket findings is NOT part of Guard duty. That will be coming from AWS Config rules.

S3 protection in guard duty will be monitoring API calls and not how buckets are configured.

Security hub aggregates findings from multiple sources such as GuardDuty, Config, Macie, Inspector

Security Hub Findings don't match Guard Duty findings

Relevant content