Questions tagged with AWS Security Hub
Content language: English
Sort by most recent
Hi, In my ControlTower settings I see the following message. "The status of controls owned by AWS Security Hub are unknown in AWS Control Tower. Controls owned by AWS Security Hub are not aggregated in the compliance status of accounts and OUs in AWS Control Tower." I don't know how to solve it. ![Enter image description here](/media/postImages/original/IMZoO4QHNsTAS7eBNA1qkZKg) Regards
Is there a way to get alerted on Security Vulnerabilities related to Cloud and application Development? so that as a service provider we could start fixing the code accordingly or even intimating clients upfront on global security issues. I usually check the security bulletin once in a while, but the challenge is there are plenty of updates everyday, which makes it hard to read everything. https://aws.amazon.com/security/security-bulletins/?card-body.sort-by=item.additionalFields.bulletinId&card-body.sort-order=desc&awsf.bulletins-flag=*all&awsf.bulletins-year=year%232022 Is there any specific cloud service that provides such alerts?
Even though the status indicates Compliant, I am getting the following error on my OUs and accounts in AWS Control Tower after updating to Landing Zone 3.0: "The status of controls owned by AWS Security Hub are unknown in AWS Control Tower. Controls owned by AWS Security Hub are not aggregated in the compliance status of accounts and OUs in AWS Control Tower." The error before was not showing or I can't remember seeing such error before the upgrade to Landing Zone 3.0. I will appreciate any help on this. Thanks!
I have an organization that's updating its accounts to Control Tower Landing Zone 3.0. As we do so, we're finding that the upgraded accounts fail Security Hub AWS Foundational Security Best Practices rule Config.1 "AWS Config should be enabled". The failure appears to be caused by a change to Config where global resource recording only happens in the home Control Tower region. The Config.1 failures we see are in secondary regions, and we confirmed that the failing accounts don't have global resource recording active in the secondary regions. My question is: is there a plan to update the Security Hub rule to reflect the Control Tower change? Control Tower has it right, we only need to record global resources in one region. It's also very annoying to undo the change in Landing Zone 3.0 as we have to move accounts out of CT-managed OUs or log in as the CT role to change Config.
in security hub i have remediated the findings and changed the workflow status as resolved After 24 hrs the score is not increasing kindly help me out
Hello Team, I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link, Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ Note : I am not using the openssl to generate the RootCA.pem & RootCA.key. Step 1: (SKIP) Create the private certificate authority (CA) private and public keys: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem Step 2: Create client certificate private key and certificate signing request (CSR): openssl genrsa -out my_client.key 2048 openssl req -new -key my_client.key -out my_client.csr Step 3: Sign the newly created client cert by using your certificate authority you previously created: openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256 Step 4: I have a minimum of five files in my directory RootCA.key (root CA private key) RootCA.pem (root CA public key) my_client.csr (client certificate signing request) my_client.key (client certificate private key) my_client.pem (client certificate public key) Step 5: Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS: cp RootCA.pem truststore.pem Step 6: Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API. aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket Step 7: Enabling mutual TLS on a custom domain name I have in AWS API gateway console, While I upload my existing root CA public key in S3 bucket, I am getting some error like Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate". Error : "There is an invalid certificate in your truststore bundle Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."
Can Macie consolidate the findings across various regions and report from one central location (like Security Hub), or does it have to be enabled region wise?
Hello guys, Is it possible somehow to map AWS 'Account ID' to 'Assignment Group' in ServiceNow when we automatically create an Incident from AWS Security Hub? So the idea is to use AWS Service Management Connector for ServiceNow and when some finding appears in AWS Security Hub it should create an incident in ServiceNow with predefined 'Assignment Group' mapped to 'Account ID' taken from particular AWS account: ![Enter image description here](/media/postImages/original/IMX7OZZt-MS966Y8dbnpN2Cw) Here on the screenshot from ServiceNow instead of 'AWS Security Hub' group should be the name of the responsible group based on the 'Account ID' from which 'AWS Security Hub' finding comes from. Thanks in advance
I have enabled security hub in all member accounts and also delegated it to the admin account. I am using the below article for exporting security hub results to CSV. But it fails during codeformation stack deployment and error says " error occurred while GetObject.S3 Error Code:PermanentReDirect, S3 Error Message, the bucket is in this region: us-east-1 , please use this region to retry request. While i am trying to use on Eu-central-1 as i dont have aggregation enabled and using only one region as i have all the accounts and resources here itself. Please guide what is the right approach to sort this out. https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/ ![error](/media/postImages/original/IMjxAiGZJbRtOByYRaErHgWQ)
Hello I have always been very cautious about the security of database connections. I'm using AWS Lightsall and I'm creating a MySQL database version 8.0.28 (in the Oregon Region). They are connected to instances in the same area as Lightsall. In summary, instances are distributed with managed databases. Based on the above environment, does Lightsall encrypt the connection between the instance and the managed database (not between the client and the managed database)? Best wishes
Starting to utilize the security hub feature and they are saying that "S3.2 S3 buckets should prohibit public read access". So we use S3 for a lot of images, most of already in cloudfront, but when I turn off public, even the cloudfront fails. The recommendation is really no help, just says to turn it off, so I am trying to figure out the best practice to roll out to all our S3 buckets. As I said, most are images that goto cloudfront, there are some other uses that I can look at, but I want to get those resolved from security hub and still allow the images to work. Thanks.
I'm trying to deploy this solution (https://aws.amazon.com/blogs/security/how-to-export-aws-security-hub-findings-to-csv-format/) but running into this particular error ``"Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy;"``. I'd appreciate it if someone could help me figure out what I could be doing wrong. Thanks all.