Streamlining AWS Security Hub and Policy Management for Organizations with Terraform

1. Security Hub for Organization

AWS Security Hub offers a comprehensive overview of your AWS infrastructure's security posture, helping you monitor and maintain compliance with industry standards and best practices.

By aggregating security data from your AWS accounts, organizations, another AWS services, and third-party products, Security Hub enables you to analyze security trends and prioritize critical security issues for resolution.

1.1. Security standards

AWS Security Hub currently provides the following security standards (as of Dec 2024), which you can enable and customize to meet your organization's requirements.

a. AWS Foundational Security Best Practices v1.0.0: This standard consists of automated security checks designed to identify when AWS accounts and deployed resources deviate from established security best practices, as defined by AWS security experts.

b. AWS Resource Tagging Standard v1.0.0: This standard includes automated security checks that determine whether AWS resources have been appropriately tagged.

c. CIS AWS Foundations Benchmark (v1.2.0, v1.4.0, v3.0.0): Developed by the Center for Internet Security (CIS), this benchmark provides a set of security configuration best practices for AWS.

d. NIST Special Publication 800–53 Revision 5: This publication offers a comprehensive catalog of security and privacy controls applicable to information systems and organizations.

e. PCI DSS (v3.2.1, v4.0.1): The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that applies to organizations that store, process, or transmit cardholder data.

1.2. Benefits of Enabling Security Hub for Organization

• Streamlined effort for collecting and prioritizing security findings.
• Automated security checks against industry best practices and standards.
• Consolidated and single place to view of findings across multiple accounts and services.
• Capability to automate the remediation of security issues.
• Can set up notifications based on security findings.

2. Configurations in Security Hub

Security Hub currently offers users the ability to configure in two modes:

1. Local Configuration
2. Central Configuration

2.1. Local Configuration

This is a default configuration type for an organization following the integration of Security Hub and AWS Organizations.

With local configuration, the delegated administrator can automatically turn on Security Hub and the default security standards for new organization accounts in the current region.

When the administrator chooses to enable these default standards, all related controls are also activated with standard settings for the new member accounts.

However, these settings do not apply to Already existing accounts, which may cause differences in controls. The administrator needs to individually manage the turning off of specific controls from the default standards and set up any additional standards and controls in each account and region as required.

2.2. Central Configuration

In central configuration, an organization can designate accounts as either self-managed or centrally managed, determined by configuration policies. This allows the organization to specify which accounts or organizational units (OUs) should be centrally managed and which should be self-managed.

2.2.1. Centrally managed
A target that only the delegated administrator can configure across Regions by using configuration policies.

The delegated administrator account specifies whether a target is centrally managed. The delegated administrator can also change a target's status from centrally managed to self-managed, or the other way around via Security Hub configuration.

centrally-managed implies the presence of a central team responsible for enforcing and managing the mandatory Security Hub standards and controls across the organization. This approach ensures that all accounts within the organization adhere to unified security standards.

2.2.2. Self-managed
A target that manages its own Security Hub configurations. A self-managed target uses account-specific operations to configure Security Hub for itself separately in each Region. This is in contrast to centrally managed targets, which are configurable only by the delegated administrator across Regions through configuration policies.

3. Enable Security Hub and Central Configuration using Terraform

In the following sections, we will explore how to enable Security Hub for AWS Organization, activate central configuration, and create configuration policies using Terraform.

i. Enable Security Hub and designate a Delegated Admin account for AWS Organization.

resource "aws_organizations_organization" "add_sh_service_principal" {
 aws_service_access_principals = ["securityhub.amazonaws.com"]
 feature_set = "ALL"
}

resource "aws_securityhub_organization_admin_account" "add_securityhub_admin" {
  admin_account_id = "123456789012"
  depends_on       = [aws_organizations_organization.add_sh_service_principal]
}

Note: Above Terraform code must be executed in management account.

ii. Enable Security Hub configuration as central configuration

resource "aws_securityhub_organization_configuration" "enable_central_config" {
  auto_enable           = false
  auto_enable_standards = "NONE"
  organization_configuration {
    configuration_type = "CENTRAL"
  }
}

Once you enable the Security Hub configuration type to CENTRAL all the accounts in the member accounts will be updated as self-managed. you can see this by going to security hub service then under configuration.

iii. Example Terraform code to enable one security standard

resource "aws_securityhub_configuration_policy" "aws_foundational_standard" {
  name        = "AWS-Foundational-Standard"
  description = "This is an example to enable single security standard"
  configuration_policy {
    service_enabled = true
    enabled_standard_arns = [
      "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
    ]
    security_controls_configuration {
      disabled_control_identifiers = []
    }
  }
  depends_on = [aws_securityhub_organization_configuration.enable_central_config]
}

iv. Example Terraform code to enable single security control

resource "aws_securityhub_configuration_policy" "block_s3_public_access" {
  name        = "Block-S3-Public-Access"
  description = "This is an example to enable single security control in the standard"
  configuration_policy {
    service_enabled = true
    enabled_standard_arns = [
      "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
    ]
    security_controls_configuration {
      enabled_control_identifiers = [
        "S3.8"
      ]
    }
  }
  depends_on = [aws_securityhub_organization_configuration.enable_central_config]
}

v. Example Terraform code to enable one standard and disable single security control

resource "aws_securityhub_configuration_policy" "block_s3_public_access" {
  name        = "Disable-Block-S3-Public-Access"
  description = "This is an example to enable disable security control in the aws foundational standard"
  configuration_policy {
    service_enabled = true
    enabled_standard_arns = [
      "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0"
    ]
    security_controls_configuration {
      disabled_control_identifiers = [
        "S3.8"
      ]
    }
  }
  depends_on = [aws_securityhub_organization_configuration.enable_central_config]
}

vi. Example Terraform code to attach the configuration policy for specific OU

resource "aws_securityhub_configuration_policy_association" "associate_ou" {
  target_id = "<OU_ID>"
  policy_id = aws_securityhub_configuration_policy.aws_foundational_standard.id
}

Vii. Example Terraform code to attach the configuration policy with single account

resource "aws_securityhub_configuration_policy_association" "associate_account" {
  target_id = "111122223333"
  policy_id = aws_securityhub_configuration_policy.block_s3_public_access.id
}

4. Other Key Features of Security Hub

• Automation Rules: You can use automation rules in AWS Security Hub to automatically update findings. When findings are received, Security Hub can take actions like hiding findings, changing their severity, or adding notes. These actions are applied to findings that meet the conditions you set.

• Cross-Region aggregation: With AWS Security Hub, you can aggregate findings, updates, insights, compliance statuses, and security scores from multiple AWS Regions into a single home Region, allowing you to manage all the data centrally.

• Centralize Dashboard: You can customize the Summary dashboard in the AWS Security Hub console to display only the security data that matters most to you.

• Integrations: AWS Security Hub can ingest security findings from several AWS services and supported third-party AWS Partner Network security solutions.

---

I welcome your feedback and suggestions on alternative best practices. If you have any other methods or approaches that you believe are more effective than the one mentioned, please feel free to share your insights by leaving a comment. I value diverse perspectives and are open to exploring different approaches to achieve optimal results. Your suggestions are greatly appreciated!