Manage AWS Security Hub using CloudFormation

TutoSartup excerpt from this article:
Security Hub has expanded support for AWS CloudFormation by launching the updated Security Hub Hub resource and a new Standards resource for CloudFormation… The Standards resource can be used to manage security standards… If you’re already a Security Hub user and want to start using CloudFo…

In this blog post, we show you how to enable and configure AWS Security Hub using the new Security Hub CloudFormation resources. Security Hub has expanded support for AWS CloudFormation by launching the updated Security Hub Hub resource and a new Standards resource for CloudFormation. The Hub resource can be used to enable Security Hub default standards and manage the consolidated control findings feature. The Standards resource can be used to manage security standards. This deployment can be performed at scale across multiple AWS accounts or organizational units (OU) in an organization.

Security Hub provides you with a comprehensive view of your security posture in AWS by checking your environment against security industry standards and best practices. Security Hub provides a single place that aggregates, organizes, and prioritizes security findings from multiple AWS services and partner solutions that you can use to analyze your security trends and identify the highest priority security issues.

Solution overview

We provide sample CloudFormation templates focusing on specific Security Hub use cases. You can use these templates if you’re getting started with Security Hub or if you’re an existing Security Hub customer and want to use CloudFormation.

You can use CloudFormation Stacks or StackSets to deploy the templates in this post. CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. Using an administrator account, you define and manage a CloudFormation template and use it as the basis for provisioning stacks into selected target accounts across specified Regions. For more information, see working with AWS CloudFormation StackSets.

In the following sections we provide some sample use cases. Use the guidance provided in each section to understand what accounts and Regions the stack sets should be deployed in.

Note: With CloudFormation StackSets, the template isn’t deployed in the StackSet administrator account by default. The CloudFormation stack must be deployed separately in the StackSet administrator account.

Prerequisites

  1. Security Hub uses service-linked AWS Config rules to perform most of its security checks for controls. We recommend that you enable AWS Config across your accounts and Regions. AWS Config can be managed using the CloudFormation Config Recorder and Delivery Channel resources.
  2. Experience with CloudFormation StackSets.
  3. If you’re already a Security Hub user and want to start using CloudFormation to manage standards and controls, then you must import the Standards resource into CloudFormation before deploying the example templates in this post. Refer to the Configuration for existing Security Hub deployments section that follows.
  4. You must know the StandardsARN of the Security Hub standards you want to enable using CloudFormation. You can find these by using the following AWS Command Line Interface (AWS CLI) command:
    $ aws securityhub describe-standards

    Alternately, the StandardsARN at the time of writing this post are:

    Security StandardStandards subscription ARN
    CIS 1.2arn:${AWS::Partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0
    CIS 1.4arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/cis-aws-foundations-benchmark/v/1.4.0
    AFSBParn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0
    NISTarn:${AWS::Partition}:securityhub:${AWS::Region}::standards/nist-800-53/v/5.0.0
    PCIarn:${AWS::Partition}:securityhub:${AWS::Region}::standards/pci-dss/v/3.2.1
  5. If you plan to disable controls using CloudFormation, then you must know the ControlsARN of the controls you want to disable. This can be found using the following AWS CLI commands:
    $ aws securityhub get-enabled-standards
    $ aws securityhub describe-standards-controls --standards-subscription-arn [Standards Subscription Arn]

Use case 1: Enabling Security Hub across accounts in an organization with standards and findings consolidation enabled

Security Hub provides customers with security standards that include a set of requirements to determine compliance with regulatory frameworks, industry best practices, and company policies. New customers getting started with Security Hub might want to enable the AWS Foundational Security Best Practices (FSBP) standard across their AWS accounts in an organization. You can optionally enable additional Security Hub standards as needed in your environment. For example, you might have a group of AWS accounts that are subject to PCI compliance regulations and so it is recommended that you enable the PCI standard across those accounts.

In addition, most Security Hub controls are applicable to multiple security standards, so we recommend enabling findings consolidation. With findings consolidation, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. The ControlFindingGenerator property specifies whether an account has consolidated control findings turned on or off. If the value for this field is set to SECURITY_CONTROL, as in the template that follows, Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards.

For a list of available standards and the controls that apply to them, see Standards reference.

You can use the template that follows to enable Security Hub with the AWS FSBP standard and findings consolidation enabled:

Description: Enable Security Hub with AWS foundational best practices standard and findings consolidation enabled  

Resources:
  ExampleHubWithTags:
    Type: 'AWS::SecurityHub::Hub'
    Properties:
      Tags:
        ManagedBy: IaC CFn
        Name: Blog-example-hub
      EnableDefaultStandards: false
      ControlFindingGenerator: 'SECURITY_CONTROL'

  AFSBPStandard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0'

Outputs:
  HubArn:
    Value: !Ref ExampleHubWithTags
  StandardsSubscriptionArn1:
    Value: !Ref AFSBPStandard

To enable additional security standards, you can use the sample template below. You can edit this template to include only the standards that are relevant to your environment.

Description: Enable Security Hub with specific standards and findings consolidation enabled  

Resources:
  ExampleHubWithTags:
    Type: 'AWS::SecurityHub::Hub'
    Properties:
      Tags:
        ManagedBy: IaC CFn
        Name: Blog-example-hub
      EnableDefaultStandards: false
      ControlFindingGenerator: 'SECURITY_CONTROL'

  CIS12Standard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0'

  CIS14Standard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/cis-aws-foundations-benchmark/v/1.4.0'

  PCIStandard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/pci-dss/v/3.2.1'
     
  NISTStandard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/nist-800-53/v/5.0.0'

  AFSBPStandard:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0'

Outputs:
  HubArn:
    Value: !Ref ExampleHubWithTags
  StandardsSubscriptionArn1:
    Value: !Ref CIS14Standard
  StandardsSubscriptionArn2:
    Value: !Ref NISTStandard
  StandardsSubscriptionArn3:
    Value: !Ref AFSBPStandard
  StandardsSubscriptionArn4:
    Value: !Ref CIS12Standard
  StandardsSubscriptionArn5:
    Value: !Ref PCIStandard

Note: It’s recommended to set the EnableDefaultStandards property to false, as provided in the sample above, and manage the default standards as part of the Standards resource to manage each resource independently.

Deployment steps:

  1. Log in to the AWS Management Console using your organization management account or StackSet administrator account and select the appropriate Region.
  2. Navigate to the AWS CloudFormation StackSets console in the Region being used, and create a new StackSet using one of the preceding sample templates. You can copy and paste the template into a notepad and save it with a .yaml extension.
  3. Enter the Stack name and Stack Description, and then choose Next.
  4. Under deployment targets, you can choose to deploy the template to the accounts in your organization or to specific OUs or accounts. You can also specify the Regions to deploy the template.
    Figure 1: CloudFormation StackSet deployment target settings

    Figure 1: CloudFormation StackSet deployment target settings

  5. Choose Next and then choose Submit.
  6. On the Stack Instances screen, validate the StackSet deployment and wait for the stack instance status to change from OUTDATED to CURRENT.

For more information, see the documentation on creating a stack set.

Use case 2: Enable NIST 800-53, CIS1.2 and AWS FSBP across all accounts or Regions and disable specific controls

Security Hub recently launched support for the NIST SP 800-53 r5 standard, which includes over 220 automated controls that conduct continual checks against the select NIST SP 800-53 r5 requirements across various AWS services.

By default, when a security standard is enabled, all the controls in the standard are also enabled. Disabling controls that aren’t relevant to your environment makes it simpler to identify the findings that are important and that you should act on. You can also disable controls that are associated with services you aren’t using or if you already have compensating controls in place. Review Security Hub controls that you might want to disable and Disabling Security Hub controls in a multi-account environment for information about the controls you might want to disable. The latter post walks through the process of disabling controls using an AWS CLI script if you don’t want to use CloudFormation.

In this example, we enable NIST 800-53, CIS1.2 and AWS FSBP standards and disable [CloudTrail.2] Control ID (CloudTrail should have encryption at-rest enabled) as recommended in controls you might want to disable. Refer to prerequisite number 5 above to identify the controls ARN for this Control ID.

Note: The mapping of controls across different standards might have different control IDs. In this template, CloudTrail.2 in AWS FSBP is mapped to control ID 2.7 in CIS1.2 standard. The full list of controls and its mapping across standards can be found in the Security Hub controls reference.

You should use this template in all accounts and Regions except for the centralized logging account or log-archive account and Region where the centralized logging takes place. When enabling multiple standards in a single CloudFormation template, use the DependsOn attribute for each resource to depend on the previous Standards resource to accommodate for rate limit with the BatchEnableStandards API.

Description: Enable Security Hub with default standards turned off, findings consolidation turned on, CIS12, NIST, AFSBP turned on with Cloudtrail.2 disabled. 

Resources:
  ExampleHubWithTags:
    Type: 'AWS::SecurityHub::Hub'
    Properties:
      Tags:
        ManagedBy: IaC CFn
        Name: Blog-example-hub
      EnableDefaultStandards: false
      ControlFindingGenerator: 'SECURITY_CONTROL'

  CIS12StandardWithDisabledControls:
    DependsOn: ExampleHubWithTags
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0'
      DisabledStandardsControls:
        - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/cis-aws-foundations-benchmark/v/1.2.0/2.7'
          Reason: 'Disabled by CloudFormation, this control only needs to be enabled on the log-archive account'


  NISTStandardWithDisabledControls:
    DependsOn: CIS12StandardWithDisabledControls
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/nist-800-53/v/5.0.0'
      DisabledStandardsControls:
        - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/nist-800-53/v/5.0.0/CloudTrail.2'
          Reason: 'Disabled by CloudFormation, this control only needs to be enabled on the log-archive account'


  AFSBPStandardWithDisabledControls:
    DependsOn: NISTStandardWithDisabledControls
    Type: 'AWS::SecurityHub::Standard'
    Properties:
      StandardsArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}::standards/aws-foundational-security-best-practices/v/1.0.0'
      DisabledStandardsControls:
        - StandardsControlArn: !Sub 'arn:${AWS::Partition}:securityhub:${AWS::Region}:${AWS::AccountId}:control/aws-foundational-security-best-practices/v/1.0.0/CloudTrail.2'
          Reason: 'Disabled by CloudFormation, this control only needs to be enabled on the log-archive account'

Outputs:
  HubArn:
    Value: !Ref ExampleHubWithTags
  StandardsSubscriptionArn1:
    Value: !Ref CIS12StandardWithDisabledControls
  StandardsSubscriptionArn2:
    Value: !Ref NISTStandardWithDisabledControls
  StandardsSubscriptionArn3:
    Value: !Ref AFSBPStandardWithDisabledControls

Use case 3: Enabling a control that was previously disabled across all accounts and Regions or specific OUs

For enabling a control that was previously disabled, simply remove it from the DisableStandardControl property. For example, you can modify the template provided in Use case 2 to use it in a central logging account by removing the DisabledStandardsControls property under all standards. You can then use the StackSet deployment targets to provide the IDs of the OUs you want the template to be deployed in as shown in Figure 1 in Use case 1.

Configuration for existing Security Hub deployments

If you’re an existing Security Hub customer and want to manage Security Hub using CloudFormation, you have two options. One option is to disable existing resources and then enable them using CloudFormation. The other option is to import the resources in CloudFormation Stacks.

Disabling existing resources and enable using CloudFormation

In this option you first disable all Security Hub standards across all accounts and Regions and then re-enable the standards using CloudFormation StackSets. With this method, you don’t have to go through the process of importing resources into stacks and StackSets. You can use the Security Hub multi-account scripts to disable standards as reviewed in section 2b of this repo. Review Enabling and disabling security standards considerations before disabling standards. You can then use the CloudFormation Standards resource to re-enable and manage desired standards. You can use templates provided in use cases 1 and 2 above to manage the standards and controls. However, between the time that the standards are disabled and re-enabled using CloudFormation, checks for controls will not be performed by Security Hub. New findings will be generated when the standards are re-enabled and downstream automations will be re-launched. You will lose any notes supplied when controls were originally disabled.

You can also disable Security Hub fully in all accounts and Regions using the process in section 2b of this repo, and then re-enable Security Hub using CloudFormation resources to be managed using CloudFormation. However, in addition to implications of disabling standards as described in the previous paragraph, you will also need to recreate insights, automation rules, and integrations with third-party tools that you might have previously created or enabled. Before disabling Security Hub, review Disabling Security Hub for considerations.

Import Resources

If you created an AWS resource outside of CloudFormation management, you can bring that existing resource into CloudFormation management using resource import. You can manage your resources using CloudFormation without having to delete and re-create them as part of a stack. You can then import these sacks into a StackSet. For a list of AWS resources that support import operations, see Resources that support import operations.

As of this writing, CloudFormation only supports the import of the Security Hub standards resource in a stack. This means that you still must manage the Security Hub configuration — such as enabling consolidated findings — outside of CloudFormation. If you enabled Security Hub through the console or the AWS CLI, you can still manage standards using CloudFormation without importing the Security Hub resource.

Security Hub enabled standards and disabled controls must be uniform across all accounts and Regions where you plan to use the stack in the StackSet. Consider using separate StackSets If the standards and controls are not uniform.

You can create a new stack to import the existing Security Hub standards. Import Existing Resources into a CloudFormation Stack walks through a sample process that you can use for Security Hub.

The following is an example of importing standards that are already enabled. The property DeletionPolicy is mandatory for the import process to work.

Description: Example Import standards
Resources:
  CISStandard:
    Type: ‘AWS::SecurityHub::Standard’
    DeletionPolicy: Delete
    Properties:
      StandardsArn: !Sub ‘arn:${AWS::Partition}:securityhub:${AWS::Region}::subscription/cis-aws-foundations-benchmark/v/1.2.0’
  NIST800Standard:
    Type: ‘AWS::SecurityHub::Standard’
    DeletionPolicy: Delete
    Properties:
      StandardsArn: !Sub ‘arn:${AWS::Partition}:securityhub:${AWS::Region}::subscription/nist-800-53/v/5.0.0’
  ASBP:
    Type: ‘AWS::SecurityHub::Standard’
    DeletionPolicy: Delete
    Properties:
      StandardsArn: !Sub ‘arn:${AWS::Partition}:securityhub:${AWS::Region}::subscription/aws-foundational-security-best-practices/v/1.0.0’

You must repeat the import process for each account and Region where you want to manage Security Hub standards using CloudFormation. After you have all the stacks imported, you must import the stacks into StackSets to manage the stacks from a single account.

Conclusion

In this blog post, you learned about the new Security Hub Hub and Standards resources for CloudFormation. You can use these resources to manage Security Hub deployments, standards, and controls across your AWS accounts and Regions. We provided some samples for CloudFormation templates to enable Security Hub findings consolidation, standards, and disable some controls. You can modify these samples to fit your needs. Visit the links below for more information on Security Hub and the expanded integration with CloudFormation.

For more information, see Getting started with AWS Security Hub and AWS Security Hub resource type reference.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Want more AWS Security news? Follow us on Twitter.

Priyank Ghedia

Priyank Ghedia

Priyank is a Senior Solutions Architect focused on threat detection and incident response. Priyank helps customers meet their security visibility and response objectives by building architectures using AWS security services and tools. Before AWS, he spent eight years advising customers on global networking and security operations.

Author

Kafayat Adeyemi

Kafayat is a Senior Technical Account Manager at AWS based in Atlanta, GA. She is passionate about security and works with enterprise customers to build, deploy, and manage secure and scalable workloads on AWS. Outside of work, she loves to travel and spend time with her family.

Praveen Haranahalli

Praveen Haranahalli

Praveen is a Senior Solutions Architect at AWS. He engages with customers to create innovative solutions that address their business needs and to accelerate the adoption of AWS services. Praveen has helped diverse customers design and operate workloads on AWS and has a keen interest in security and governance. Outside of work, he loves being outdoors with his family.

Manage AWS Security Hub using CloudFormation
Author: Priyank Ghedia