AWS prescriptive-guidance documentation change
Summary
Updated references from 'Security Hub' to 'Security Hub CSPM' throughout the document, including title, architecture descriptions, prerequisites, and troubleshooting sections.
Security assessment
The changes rebrand the solution to specifically use Security Hub's CSPM (Cloud Security Posture Management) features but do not address any security vulnerability or weakness. The updates are terminological clarifications rather than responses to security incidents. The core security practice (identifying public S3 buckets) remains unchanged.
Diff
diff --git a/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md b/prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md index 6612d7a18..5de2d055c 100644 --- a//prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md +++ b//prescriptive-guidance/latest/patterns/identify-public-s3-buckets-in-aws-organizations-using-security-hub.md @@ -7 +7 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated -# Identify public Amazon S3 buckets in AWS Organizations by using Security Hub +# Identify public Amazon S3 buckets in AWS Organizations by using Security Hub CSPM @@ -13 +13 @@ SummaryPrerequisites and limitationsArchitectureToolsEpicsTroubleshootingRelated -This pattern shows you how to build a mechanism for identifying public Amazon Simple Storage Service (Amazon S3) buckets in your AWS Organizations accounts. The mechanism works by using controls from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) in AWS Security Hub to monitor Amazon S3 buckets. You can use Amazon EventBridge to process Security Hub [findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html), and then post these findings to an Amazon Simple Notification Service (Amazon SNS) topic. Stakeholders in your organization can subscribe to the topic and get immediate email notifications about the findings. +This pattern shows you how to build a mechanism for identifying public Amazon Simple Storage Service (Amazon S3) buckets in your AWS Organizations accounts. The mechanism works by using controls from the [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/fsbp-standard.html) in AWS Security Hub CSPM to monitor Amazon S3 buckets. You can use Amazon EventBridge to process Security Hub CSPM [findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings.html), and then post these findings to an Amazon Simple Notification Service (Amazon SNS) topic. Stakeholders in your organization can subscribe to the topic and get immediate email notifications about the findings. @@ -17 +17 @@ New Amazon S3 buckets and their objects don't allow public access by default. Yo -Security Hub is often deployed as a central service to consolidate all security findings, including those related to security standards and compliance requirements. There are other AWS services that you can use to detect public Amazon S3 buckets, but this pattern uses an existing Security Hub deployment with minimal configuration. +Security Hub CSPM is often deployed as a central service to consolidate all security findings, including those related to security standards and compliance requirements. There are other AWS services that you can use to detect public Amazon S3 buckets, but this pattern uses an existing Security Hub CSPM deployment with minimal configuration. @@ -23 +23 @@ Security Hub is often deployed as a central service to consolidate all security - * An AWS multi-account setup with a dedicated [Security Hub administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) + * An AWS multi-account setup with a dedicated [Security Hub CSPM administrator account](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html) @@ -25 +25 @@ Security Hub is often deployed as a central service to consolidate all security - * Security Hub and AWS Config, enabled in the AWS Region that you want to monitor + * Security Hub CSPM and AWS Config, enabled in the AWS Region that you want to monitor @@ -29 +29 @@ Security Hub is often deployed as a central service to consolidate all security -You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html) in Security Hub if you want to monitor multiple Regions from a single aggregation Region. +You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html) in Security Hub CSPM if you want to monitor multiple Regions from a single aggregation Region. @@ -31 +31 @@ You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityh - * User permissions for accessing and updating the Security Hub administrator account, read access to all the Amazon S3 buckets in the organization, and permissions for turning off public access (if required) + * User permissions for accessing and updating the Security Hub CSPM administrator account, read access to all the Amazon S3 buckets in the organization, and permissions for turning off public access (if required) @@ -38 +38 @@ You must enable [cross-Region aggregation](https://docs.aws.amazon.com/securityh -The following diagram shows an architecture for using Security Hub to identify public Amazon S3 buckets. +The following diagram shows an architecture for using Security Hub CSPM to identify public Amazon S3 buckets. @@ -44 +44 @@ The diagram show the following workflow: - 1. Security Hub monitors the configuration of Amazon S3 buckets in all AWS Organizations accounts (including the administrator account) by using the S3.2 and S3.3 controls from the FSBP security standard, and detects a finding if a bucket is configured as public. + 1. Security Hub CSPM monitors the configuration of Amazon S3 buckets in all AWS Organizations accounts (including the administrator account) by using the S3.2 and S3.3 controls from the FSBP security standard, and detects a finding if a bucket is configured as public. @@ -46 +46 @@ The diagram show the following workflow: - 2. The Security Hub administrator account accesses the findings (including those for S3.2 and S3.3) from all member accounts. + 2. The Security Hub CSPM administrator account accesses the findings (including those for S3.2 and S3.3) from all member accounts. @@ -48 +48 @@ The diagram show the following workflow: - 3. Security Hub automatically sends all new findings and all updates to existing findings to EventBridge as **Security Hub Findings - Imported** events. This includes events for findings from both the administrator and member accounts. + 3. Security Hub CSPM automatically sends all new findings and all updates to existing findings to EventBridge as **Security Hub CSPM Findings - Imported** events. This includes events for findings from both the administrator and member accounts. @@ -58 +58 @@ The diagram show the following workflow: - 8. If the bucket is approved for public access, the security analyst sets the workflow status of the corresponding finding in Security Hub to `SUPPRESSED`. Otherwise, the analyst sets the status to `NOTIFIED`. This eliminates future notifications for the Amazon S3 bucket and reduces notification noise. + 8. If the bucket is approved for public access, the security analyst sets the workflow status of the corresponding finding in Security Hub CSPM to `SUPPRESSED`. Otherwise, the analyst sets the status to `NOTIFIED`. This eliminates future notifications for the Amazon S3 bucket and reduces notification noise. @@ -67 +67 @@ The diagram show the following workflow: -The architecture diagram applies to both single Region and cross-Region aggregation deployments. In accounts A, B, and C in the diagram, Security Hub can belong to the same Region as the administrator account or belong to different Regions if cross-Region aggregation is enabled. +The architecture diagram applies to both single Region and cross-Region aggregation deployments. In accounts A, B, and C in the diagram, Security Hub CSPM can belong to the same Region as the administrator account or belong to different Regions if cross-Region aggregation is enabled. @@ -77 +77 @@ The architecture diagram applies to both single Region and cross-Region aggregat - * [AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. Security Hub also helps you check your AWS environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products, and then helps to analyze security trends and identify the highest priority security issues. + * [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state in AWS. Security Hub CSPM also helps you check your AWS environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS accounts, services, and supported third-party partner products, and then helps to analyze security trends and identify the highest priority security issues. @@ -86 +86 @@ Task| Description| Skills required -Enable Security Hub in AWS Organizations accounts.| To enable Security Hub in the organization accounts where you want to monitor Amazon S3 buckets, see the guidelines from [Designating a Security Hub administrator account (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#:~:text=AWSSecurityHubOrganizationsAccess-,Designating%20a%20Security%20Hub%20administrator%20account%20\(console\),-The%20organization%20management) and [Managing member accounts that belong to an organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html) in the Security Hub documentation.| AWS administrator +Enable Security Hub CSPM in AWS Organizations accounts.| To enable Security Hub CSPM in the organization accounts where you want to monitor Amazon S3 buckets, see the guidelines from [Designating a Security Hub CSPM administrator account (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html#:~:text=AWSSecurityHubOrganizationsAccess-,Designating%20a%20Security%20Hub%20administrator%20account%20\(console\),-The%20organization%20management) and [Managing member accounts that belong to an organization](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html) in the Security Hub CSPM documentation.| AWS administrator @@ -90,2 +90,2 @@ Enable the S3.2 and S3.3 controls for the FSBP security standard.| You must enab - 1. To enable S3.2 controls, follow the instructions from [[S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2) in the Security Hub documentation. - 2. To enable S3.3 controls, follow the instructions from [[3] S3 buckets should prohibit public write access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3) in the Security Hub documentation. + 1. To enable S3.2 controls, follow the instructions from [[S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2) in the Security Hub CSPM documentation. + 2. To enable S3.3 controls, follow the instructions from [[3] S3 buckets should prohibit public write access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3) in the Security Hub CSPM documentation. @@ -146 +146 @@ Issue| Solution -I have an Amazon S3 bucket with public access enabled, but I'm not getting email notifications for it.| This could be because the bucket was created in another Region and cross-Region aggregation is not enabled in the Security Hub administrator account. To resolve this issue, enable cross-Region aggregation or implement this pattern's solution in the Region where your Amazon S3 bucket currently resides. +I have an Amazon S3 bucket with public access enabled, but I'm not getting email notifications for it.| This could be because the bucket was created in another Region and cross-Region aggregation is not enabled in the Security Hub CSPM administrator account. To resolve this issue, enable cross-Region aggregation or implement this pattern's solution in the Region where your Amazon S3 bucket currently resides. @@ -150 +150 @@ I have an Amazon S3 bucket with public access enabled, but I'm not getting email - * [What is AWS Security Hub?](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) (Security Hub documentation) + * [What is AWS Security Hub CSPM?](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) (Security Hub CSPM documentation) @@ -152 +152 @@ I have an Amazon S3 bucket with public access enabled, but I'm not getting email - * [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) (Security Hub documentation) + * [AWS Foundational Security Best Practices (FSBP) standard](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html) (Security Hub CSPM documentation) @@ -154 +154 @@ I have an Amazon S3 bucket with public access enabled, but I'm not getting email - * [AWS Security Hub multi-account enable scripts](https://github.com/awslabs/aws-securityhub-multiaccount-scripts/tree/master/multiaccount-enable) (AWS Labs) + * [AWS Security Hub CSPM multi-account enable scripts](https://github.com/awslabs/aws-securityhub-multiaccount-scripts/tree/master/multiaccount-enable) (AWS Labs) @@ -169 +169 @@ The following workflow illustrates how you can monitor the public Amazon S3 buck - * If the bucket is approved for public access, set the workflow status of the corresponding finding to `SUPPRESSED` in the Security Hub administrator account. This prevents Security Hub from issuing further notifications for this bucket and can eliminate duplicate alerts. + * If the bucket is approved for public access, set the workflow status of the corresponding finding to `SUPPRESSED` in the Security Hub CSPM administrator account. This prevents Security Hub CSPM from issuing further notifications for this bucket and can eliminate duplicate alerts. @@ -171 +171 @@ The following workflow illustrates how you can monitor the public Amazon S3 buck - * If the bucket isn't approved for public access, set the workflow status of the corresponding finding in the Security Hub administrator account to `NOTIFIED`. This prevents Security Hub from issuing further notifications for this bucket from Security Hub and can eliminate noise. + * If the bucket isn't approved for public access, set the workflow status of the corresponding finding in the Security Hub CSPM administrator account to `NOTIFIED`. This prevents Security Hub CSPM from issuing further notifications for this bucket from Security Hub CSPM and can eliminate noise. @@ -173 +173 @@ The following workflow illustrates how you can monitor the public Amazon S3 buck - 2. If the bucket might contain sensitive data, turn off public access immediately until the review is completed. If you turn off public access, then Security Hub changes the workflow status to `RESOLVED`. Then, email notifications for the bucket stop. + 2. If the bucket might contain sensitive data, turn off public access immediately until the review is completed. If you turn off public access, then Security Hub CSPM changes the workflow status to `RESOLVED`. Then, email notifications for the bucket stop.