AWS securityhub medium security documentation change
Summary
Added documentation for Amazon Route 53 Resolver DNS Firewall integration, updated integration activation details, and improved service descriptions
Security assessment
The change adds documentation for Route 53 Resolver DNS Firewall integration that detects and reports DNS-related security threats like malicious domains and DNS tunneling. This directly documents security monitoring capabilities for DNS traffic analysis and threat detection.
Diff
diff --git a/securityhub/latest/userguide/securityhub-internal-providers.md b/securityhub/latest/userguide/securityhub-internal-providers.md index 0843ed59c..932440a03 100644 --- a//securityhub/latest/userguide/securityhub-internal-providers.md +++ b//securityhub/latest/userguide/securityhub-internal-providers.md @@ -9 +9 @@ Overview of AWS service integrations with Security Hub CSPMAWS services that sen -AWS Security Hub Cloud Security Posture Management (CSPM) supports integrations with several other AWS services. +AWS Security Hub Cloud Security Posture Management (CSPM) supports integrations with several other AWS services. These integrations can help you get a comprehensive view of security and compliance across your AWS environment. @@ -11,3 +11 @@ AWS Security Hub Cloud Security Posture Management (CSPM) supports integrations -###### Note - -Integrations may not be available in all AWS Regions. If an integration isn't supported in the current Region, it doesn't appear on the **Integrations** page. +Unless indicated otherwise below, AWS service integrations that send findings to Security Hub CSPM are activated automatically after you enable Security Hub CSPM and the other service. Integrations that receive Security Hub CSPM findings might require additional steps for activation. Review the information about each integration to learn more. @@ -15,3 +13 @@ Integrations may not be available in all AWS Regions. If an integration isn't su -For a list of integrations that are available in the China Regions and AWS GovCloud (US), see [Integrations that are supported in the China (Beijing) and China (Ningxia) Regions](./securityhub-regions.html#securityhub-regions-integration-support-china) and [Integrations that are supported in AWS GovCloud (US-East) and AWS GovCloud (US-West) Regions](./securityhub-regions.html#securityhub-regions-integration-support-govcloud). - -Unless indicated below, AWS service integrations that send findings to Security Hub CSPM are automatically activated after you enable Security Hub CSPM and the other service. Integrations that receive Security Hub CSPM findings may require additional steps for activation. Review the information about each integration to learn more. +Some integrations aren't available in all AWS Regions. On the Security Hub CSPM console, an integration doesn't appear on the **Integrations** page if it isn't supported in the current Region. For a list of integrations that are available in the China Regions and AWS GovCloud (US) Regions, see [Availability of integrations by Region](./securityhub-regions.html#securityhub-regions-integration-support). @@ -21 +17 @@ Unless indicated below, AWS service integrations that send findings to Security -Here is an overview of AWS services that send findings to Security Hub CSPM or receive findings from Security Hub CSPM. +The following table provides an overview of AWS services that send findings to Security Hub CSPM or receive findings from Security Hub CSPM. @@ -32,0 +29 @@ Amazon Macie | Sends findings +Amazon Route 53 Resolver DNS Firewall | Sends findings @@ -43 +40 @@ AWS Trusted Advisor | Receives findings -The following AWS services integrate with Security Hub CSPM by sending findings to Security Hub CSPM. Security Hub CSPM converts the findings into the [AWS Security Finding Format](./securityhub-findings-format.html). +The following AWS services integrate with and can send findings to Security Hub CSPM. Security Hub CSPM converts the findings to the [AWS Security Finding Format](./securityhub-findings-format.html). @@ -125 +122 @@ Security Hub CSPM transforms AWS Config rule evaluations into findings that foll -If the description is more than 1024 characters, it will be truncated to 1024 characters and will say "(truncated)" at the end. +If the description is more than 1,024 characters, it will be truncated to 1,024 characters and will say "(truncated)" at the end. @@ -497 +494 @@ For more information about this integration, see [Integration with AWS Security -A finding from Macie can indicate that there is a potential policy violation or that sensitive data, such as personally identifiable information (PII), is present in data that your organization stores in Amazon S3. +Amazon Macie is a data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. A finding from Macie can indicate that a potential policy violation or sensitive data exists in your Amazon S3 data estate. @@ -505 +502,22 @@ Macie also sends generated sample findings to Security Hub CSPM. For sample find -For more information, see [Amazon Macie integration with AWS Security Hub Cloud Security Posture Management (CSPM)](https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html) in the _Amazon Macie User Guide_. +For more information, see [Evaluating Macie findings with Security Hub](https://docs.aws.amazon.com/macie/latest/user/securityhub-integration.html) in the _Amazon Macie User Guide_. + +### Amazon Route 53 Resolver DNS Firewall (Sends findings) + +With Amazon Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). You do this by creating reusable collections of filtering rules in DNS Firewall rule groups, associating the rule groups with your VPC, and then monitoring activity in DNS Firewall logs and metrics. Based on the activity, you can adjust DNS Firewall behavior. DNS Firewall is a feature of Route 53 Resolver. + +Route 53 Resolver DNS Firewall can send several types of findings to Security Hub CSPM: + + * Findings related to queries blocked or alerted on for domains associated with AWS Managed Domain Lists, which are domain lists that AWS manages. + + * Findings related to queries blocked or alerted on for domains associated with a custom domain list that you define. + + * Findings related to queries blocked or alerted on by DNS Firewall Advanced, which is a Route 53 Resolver feature that can detect queries associated with advanced DNS threats such as Domain Generation Algorithms (DGAs) and DNS Tunneling. + + + + +After you enable Security Hub CSPM and Route 53 Resolver DNS Firewall, DNS Firewall automatically starts sending findings for AWS Managed Domain Lists and DNS Firewall Advanced to Security Hub CSPM. To also send findings for a custom domain list to Security Hub CSPM, manually enable the integration in Security Hub CSPM. + +In Security Hub CSPM, all findings from Route 53 Resolver DNS Firewall have the following type: `TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation`. + +For more information, see [Sending findings from Route 53 Resolver DNS Firewall to Security Hub](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/securityhub-integration.html) in the _Amazon Route 53 Developer Guide_.