AWS Cloud Operations Blog

Diagnose and remediate AWS Security Hub findings with AWS Systems Manager OpsCenter and Explorer

In this post, we will show you how to configure AWS Systems Manager OpsCenter to aggregate security findings from AWS Security Hub into OpsCenter as operational issues. OpsCenter helps operations engineers and IT professionals reduce issue resolution time by providing a central place to view, investigate, and resolve security issues.  AWS Systems Manager Explorer provides an aggregated summary of Security Hub operational issues across multiple accounts and Regions.

Security Hub is used by security and compliance professionals and by DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. For more information about Security Hub features, see the AWS Security Hub is now generally available blog post.

Most customers segregate their security issues (for example, publicly accessible Amazon Simple Storage Service (Amazon S3) buckets on Amazon Elastic Compute Cloud (Amazon EC2) instances) and operational issues (for example, underutilized Amazon Redshift instances or overutilized EC2 instances). They use Security Hub to understand, manage, and remediate their security issues, and they use Systems Manager to understand, manage, and remediate their operational issues. But because security and operational issues can overlap, you might prefer to consolidate them in a single location.

If this is your preference, you can use the integration between Systems Manager and Security Hub to receive Security Hub findings and have them ingested into Systems Manager OpsCenter and Explorer. OpsItems are created for all critical and high-severity Security Hub findings. They are optionally created for medium and low-severity findings. An Explorer widget provides a summary of all Security Hub findings based on severity. OpsCenter also provides bidirectional integration with Security Hub. When you make updates to the status and severity fields in an OpsItem, those changes are sent to Security Hub to help you see the latest information.

If you enable this feature to view security findings alongside other performance and operational issues, we recommend that you continue to use Security Hub for more specialized views into your security posture.

Prerequisites

To get started, confirm that Security Hub and Systems Manager are enabled in your account.

To enable Security Hub in your account, follow the steps in Setting up AWS Security Hub in the AWS Security Hub User Guide.

To enable Systems Manager, follow the steps in the Manage instances using AWS Systems Manager Quick Setup blog post. If you want to customize Systems Manager beyond the quick setup, see Setting up AWS Systems Manager in the AWS Systems Manager User Guide.

Enable security findings in Security Hub

The AWS Foundational Security Best Practices standard are a set of controls that detect when your AWS accounts and resources deviate from security best practices. In this post, we focus on the S3.2 control that checks whether your S3 buckets allow public read access, but you can use this approach for nearly all Security Hub findings.

Figure 1 shows an S3 bucket named ****-cloudfront has failed a check (it allows public read access).

The S3.2 control page displays a status of Failed and a severity of Critical. It shows that 1 check were performed, with 1 failed and 0 passed. The publicly readable bucket and account are displayed

Figure 1: Security Hub finding for public S3 bucket

To investigate these failed checks, enable integration between Security Hub and Systems Manager, view findings with Explorer, and then investigate a finding through the automatically created OpsItem. Lastly, remediate the issue in OpsCenter and see how the finding is updated through the bidirectional integration.

Enable integration through Systems Manager Explorer

You can configure the integration between Security Hub and Systems Manager in Systems Manager Explorer and Systems Manager OpsCenter. When you edit the configuration in one console page, you immediately see the change in the other page.

To enable the integration through Systems Manager Explorer, from the left navigation pane of the Systems Manager console, choose Explorer and then choose Settings. Choose Dashboard actions or Configure dashboard. On Configure OpsData sources and widgets, under OpsData sources, choose Security Hub.  For more information about the Explorer dashboard and how to resize, filter, and move widgets, see Customizing the display and using filters in the AWS Systems Manager User Guide.

Security Hub is one of ten OpsData sources. You can filter OpsData sources by category and status. The widget for Security Hub findings summary has been added

Figure 2: Enable Security Hub widget

When you enable the Security Hub source, two additional areas are displayed on the console page, as shown in Figure 2.  These areas allow you to enable the widget and specify when OpsItems are created. All critical and high-severity findings create OpsItems, but you must enable the creation of OpsItems for medium and low-severity findings.

Systems Manager managed rule

When you enable the data source, Systems Manager creates an Amazon EventBridge rule that creates OpsItems. This managed rule maps the Security Hub finding to an OpsItem and enables the bidirectional synchronization of status and severity fields.  Unlike EventBridge rules that you create, this rule is read-only and managed by AWS.

Integration between OpsCenter and Security Hub

To view the OpsCenter configuration, from the left navigation pane of the Systems Manager console, choose OpsCenter and then choose OpsItems.

Choose Configure sources and scroll down to Security Hub findings. You’ll see in Figure 3 that although the presentation is different, it includes the same information. Choose Edit to make changes.

Under Security Hub findings, the integration is enabled. Under OpsItems created by severity of Security Hub findings, critical and high findings are enabled but medium and low are disabled

Figure 3: Viewing configuration for Security Hub findings

Because you have now successfully integrated Security Hub with Systems Manager, OpsItems will be created from the findings. It might take several hours for those findings to be synchronized.

View the Security Hub findings widget

Figure 4 shows how the new widget is displayed in Explorer. There is a graphical representation of the number of findings and a numerical count for each severity level. Findings of all severity levels, including informational, are displayed on this widget, but OpsItems are created only for the high and critical levels and optionally for medium and low.

In Security Hub findings summary, there are 0 critical, 1 high, 29 medium, 4 low, and 1243 informational Security Hub findings

Figure 4: Security Hub Explorer widget

To go to a list of the findings, click the finding with a critical severity. You can change the filtering to include other severities. For each finding, you can view title, severity, source, and category. If an OpsItem has been created, you can click a link to view details in OpsCenter.

In OpsData Filter, there is a critical severity finding. Its title, EC2 9 EC2 instances should not have a public IPv4 address, is displayed along with the OpsItem ID, severity (high), source (Security Hub), category (Security), and created and updated times

Figure 5: Summary list of Security Hub findings filtered by severity

View OpsItems in OpsCenter

The summary table doesn’t provide many finding details, but you can click the OpsItem link for more information.

Figure 6 shows the OpsItem details, including title, description, status, and severity.

The title of the OpsItem is S3 Bucket is publicly available. Under Description, An AWS Config rule detected that an S3 bucket is publicly available is displayed. The status is Open. The severity is High

Figure 6: OpsItem for public S3 bucket

Figure 7 shows that the OpsItem details include a list of related resources. These are taken directly from the finding. You can view the resources displayed here to get a better understanding of the operational environment. Click the links to see details like Amazon CloudWatch metrics or to open the console associated with the resource.

Under Related resources, the ARN for the ****-cloudfront bucket is displayed. Its type is AWS::S3::Bucket.
Figure 7: Security Hub Explorer widget

 

Remediate a Security Hub finding

To remediate this issue, you could manually update the bucket to remove public access, but this approach isn’t scalable or easy to track. It’s better to trigger a runbook from the OpsItem so you have a record (who, when, and what) of the remediation effort.

To run an automation runbook against the S3 bucket, select Related resource details tab and the associated S3 bucket.  As seen in Figure 8, from the Run automation dropdown, select the automation called AWS-DisableS3BucketPublicReadWrite.

the list of automations, particularly AWS-DisableS3BucketPublicReadWrite, that are available to be run and applied against the related resource

Figure 8: Selecting automation document for the related resource test bucket

Confirm the S3BucketName and choose Execute. The runbook will remove the unrestricted access. As Figure 9 shows, the runbook history has been updated. This audit history is helpful for understanding the actions that have been taken for this OpsItem.

Under Automation executions in the last 30 days, the document named AWS-DisableS3BucketPublicReadWrite was run successfully

Figure 9: OpsItem detail showing runbook history

Confirm the remediation

To confirm that the public access has been removed, view the bucket in the Amazon S3 console.

The S3 bucket named ****-cloudfront located in us-west is not public.

Figure 10: S3 bucket is not public

Confirm the finding is resolved

When you open the Security Hub console, you should see that the bucket is no longer public and the finding has been resolved.

Under All enabled, the S3.2 finding has a status of Passed. 1 check has passed.

Figure 11: Security Hub found no public S3 buckets

Confirm the OpsItem is resolved

Finally, when you return to the OpsItem, you should see that the status has been updated to Resolved.

The OpsItem related to public S3 buckets is resolved.

Figure 12: OpsItem detail showing status of resolved

Conclusion

In this post, we showed you the new bidirectional integration between Security Hub and Systems Manager OpsCenter, a feature that enables the automatic creation of OpsItems for Security Hub findings. When you use this feature, you bring issues into a single location to better understand the state of your environment.

Using the example of a publicly accessible S3 bucket, we showed you how to view the details for a Security Hub finding in OpsCenter and how to resolve the issue using a runbook. By using Automation runbooks for remediation, you have a consistent and reproducible mechanism for resolving operational issues. For more information about this feature, see the What’s New post, the AWS Systems Manager User Guide and the AWS Security Hub User Guide.

 

About the authors

Author photo

Michael Heyd

Michael Heyd is a Solutions Architect with Amazon Web Services and is based in Vancouver, Canada. Michael works with enterprise AWS customers to transform their business through innovative use of cloud technologies. Outside work he enjoys board games and biking.

Author photo

Helen Ashton

Helen Ashton is a Solutions Architect at AWS, based in Calgary, Canada. Helen is passionate about helping customers solve their business problems, and progress through their cloud journey. Outside work she enjoys music, biking and gardening.