Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture
{ AWS Security Hub is a sky safety { pose | tone} management service that enables automated { restoration | cleanup | remedy | redress}, aggregates protection findings from third-party security services and Amazon Web Services. | AWS Security Hub is a cloud security posture management service that enables automated remediation, aggregates security data from third-party security services and Amazon Web Services( AWS ), and runs security best practices checks. | AWS Security Hub is a cloud security posture management service that enables automated remediation, aggregates security data from third-party security services and Amazon Web Services( AWS ), and runs security best practice checks. } { Compared to checks that run on a regular basis, the majority of the checks Security Hub performs on AWS resources take place as soon as there is an adjustment to the { construction | settings}, giving you { almost | practically | virtually} { instant | quick | fast | urgent} visibility of non-compliant resources in your environment. | In contrast to checks that run on a regular basis, the majority of the checks Security Hub performs on AWS resources take place as soon as there is an adjustment to the { construction | settings | design | layout}, giving you { almost | practically | virtually} { instant | quick | fast | urgent} { presence | awareness | rankings | accessibility} of non-compliant resources in your { atmosphere | surroundings | setting | culture}. | Compared to checks that run on a regular basis, the majority of the checks Security Hub performs on AWS resources take place as soon as there is an adjustment to the { construction | settings | design | layout}, giving you almost immediate { presence | awareness | rankings | accessibility} of non-compliant resources in your environment. } { You can quickly address { facilities | system | equipment | network} { failures | outages} and lower risk thanks to this nearly real-time finding and reporting of non-compliant { sources | assets}. | You can quickly address { facilities | system | equipment | network} { failures | outages} and lower risk with the aid of this nearly real-time finding and reporting of non-compliant { sources | assets}. | You can quickly correct { facilities | system | equipment | network} { failures | outages} and lower risk thanks to this nearly real-time finding and reporting of non-compliant { sources | assets}. } { Through { connectivity | consolidation} with the AWS Config { construction | settings | design | layout} { record | microphone}, Security Hub provides these ongoing security checks. | Through its { inclusion | connectivity | consolidation | integrating} with the AWS Config { construction | settings | design | layout} { record | microphone}, Security Hub provides these ongoing { protection | safety | stability | surveillance} { inspections | investigations | assessments | balances}. | By integrating with the AWS Config { construction | settings | design | layout} { record | microphone}, Security Hub provides these ongoing { protection | safety | surveillance} { inspections | investigations | assessments | balances}. }
<p>By default, AWS Config enables recording for more than 300 resource types in your account. Today, Security Hub has controls that cover approximately 60 of those resource types. If you’re using AWS Config only for Security Hub, you can optimize the configuration of the configuration recorder to track only the resources you need, helping to reduce the costs related to monitoring those resources in AWS Config and the amount of data produced, stored, and analyzed by AWS Config. This blog post walks you through how to set up and optimize the AWS Config recorder when it is used for controls in Security Hub.</p> <h2>Using AWS Config and Security Hub for continuous security checks</h2> <p>When you enable Security Hub, you’re alerted to first enable resource recording in AWS Config, as shown in Figure 1. AWS Config continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and in other cloud environments. Security Hub uses this capability to perform change-initiated security checks. Security Hub checks that use periodic rules don’t depend on the AWS Config recorder. You must enable AWS Config resource recording for all the accounts and in all AWS Regions where you plan to enable Security Hub standards and controls. AWS Config charges for the configuration items that are recorded, separately from Security Hub.</p> <div id="attachment_30203" class="wp-caption alignnone"> <img aria-describedby="caption-attachment-30203" src="https://www.infracom.com.sg/wp-content/uploads/2023/07/img1-4.png" alt="Figure 1: Security Hub alerts you to first enable resource recording in AWS Config" width="780" class="size-full wp-image-30203"> <p id="caption-attachment-30203" class="wp-caption-text">Figure 1: Security Hub alerts you to first enable resource recording in AWS Config</p> </div> <p>When you get started with AWS Config, you’re prompted to set up the configuration recorder, as shown in Figure 2. AWS Config uses the configuration recorder to detect changes in your resource configurations and capture these changes as configuration items. Using the AWS Config configuration recorder not only allows for continuous security checks, it also minimizes the need to query for the configurations of the individual services, saving your service API quotas for other use cases. By default, the configuration recorder records the supported resources in the Region where the recorder is running.</p> <blockquote> <p><strong>Note: </strong>While AWS Config supports the configuration recording of more than 300 resource types, some Regions support only a subset of those resource types. To learn more, see <a href="https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html" target="_blank" rel="noopener">Supported Resource Types</a> and <a href="https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html" target="_blank" rel="noopener">Resource Coverage by Region Availability</a>.</p> </blockquote> <div id="attachment_30204" class="wp-caption alignnone"> <img aria-describedby="caption-attachment-30204" src="https://www.infracom.com.sg/wp-content/uploads/2023/07/img2-5.png" alt="Figure 2: Default AWS Config settings" width="780" class="size-full wp-image-30204"> <p id="caption-attachment-30204" class="wp-caption-text">Figure 2: Default AWS Config settings</p> </div> <h2>Optimizing AWS Config for Security Hub</h2> <p>Recording global resources as well as current and future resources in AWS Config is more than what is necessary to enable Security Hub controls. If you’re using the configuration recorder only for Security Hub controls, and you want to cost optimize your use of AWS Config or reduce the amount of data produced, stored, and analyzed by AWS Config, you only need to record the configurations of approximately 60 resource types, as described in <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/controls-config-resources.html" target="_blank" rel="noopener">AWS Config resources required to generate control findings</a>.</p> <h2>Set up AWS Config, optimized for Security Hub</h2> <p>We’ve created an <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener">AWS CloudFormation</a> template that you can use to set up AWS Config to record only what’s needed for Security Hub. You can <a href="https://github.com/aws-samples/aws-cfn-for-optimizing-aws-config-for-aws-security-hub" target="_blank" rel="noopener">download the template from GitHub</a>.</p> <p>This template can be used in any Region that supports AWS Config (see <a href="https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/" target="_blank" rel="noopener">AWS Services by Region</a>). Although resource coverage varies by Region (<a href="https://docs.aws.amazon.com/config/latest/developerguide/what-is-resource-config-coverage.html" target="_blank" rel="noopener">Resource Coverage by Region Availability</a>), you can still use this template in every Region. If a resource type is supported by AWS Config in at least one Region, you can enable the recording of that resource type in all Regions supported by AWS Config. For the Regions that don’t support the specified resource type, the recorder will be enabled but will not record any configuration items until AWS Config supports the resource type in the Region.</p> <p>Security Hub regularly releases new controls that might rely on recording additional resource types in AWS Config. When you use this template, you can subscribe to <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-announcements.html" target="_blank" rel="noopener">Security Hub announcements with Amazon Simple Notification Service (SNS)</a> to get information about newly released controls that might require you to update the resource types recorded by AWS Config (and listed in the CloudFormation template). The CloudFormation template receives periodic updates in GitHub, but you should validate that it’s up to date before using it. You can also use AWS CloudFormation StackSets to deploy, update, or delete the template across multiple accounts and Regions with a single operation. If you don’t enable the recording of all resources in AWS Config, the Security Hub control, <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/config-controls.html#config-1" target="_blank" rel="noopener">Config.1 AWS Config should be enabled</a>, will fail. If you take this approach, you have the option to disable the Config.1 Security Hub control or suppress its findings using the automation rules feature in Security Hub.</p> <h2>Customizing for your use cases</h2> <p>You can modify the CloudFormation template depending on your use cases for AWS Config and Security Hub. If your use case for AWS Config extends beyond your use of Security Hub controls, consider what additional resource types you will need to record the configurations of for your use case. For example, <a href="https://aws.amazon.com/firewall-manager" target="_blank" rel="noopener">AWS Firewall Manager</a>, <a href="https://aws.amazon.com/backup/" target="_blank" rel="noopener">AWS Backup</a>, <a href="https://aws.amazon.com/controltower/" target="_blank" rel="noopener">AWS Control Tower</a>, <a href="https://aws.amazon.com/marketplace/" target="_blank" rel="noopener">AWS Marketplace</a>, and <a href="https://aws.amazon.com/premiumsupport/technology/trusted-advisor/" target="_blank" rel="noopener">AWS Trusted Advisor</a> require AWS Config recording. Additionally, if you use other features of AWS Config, such as custom rules that depend on recording specific resource types, you can add these resource types in the CloudFormation script. You can see the results of AWS Config rule evaluations as findings in Security Hub.</p> <p>Another customization example is related to the AWS Config configuration timeline. By default, resources evaluated by Security Hub controls include links to the associated AWS Config rule and configuration timeline in AWS Config for that resource, as shown in Figure 3.</p> <div id="attachment_30205" class="wp-caption alignnone"> <img aria-describedby="caption-attachment-30205" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/07/img3-2.png" alt="Figure 3: Link from Security Hub control to the configuration timeline for the resource in AWS Config" width="641" height="191" class="size-full wp-image-30205"> <p id="caption-attachment-30205" class="wp-caption-text">Figure 3: Link from Security Hub control to the configuration timeline for the resource in AWS Config</p> </div> <p>The AWS Config configuration timeline, as illustrated in Figure 4, shows you the history of compliance changes for the resource, but it requires the <span>AWS::Config::ResourceCompliance</span> resource type to be recorded. If you need to track changes in compliance for resources and use the configuration timeline in AWS Config, you must add the <span>AWS::Config::ResourceCompliance</span> resource type to the CloudFormation template provided in the preceding section. In this case, Security Hub may change the compliance of the Security Hub managed AWS Config rules, which are recorded as configuration items for the <span>AWS::Config::ResourceCompliance</span> resource type, incurring additional AWS Config recorder charges.</p> <div id="attachment_30206" class="wp-caption alignnone"> <img aria-describedby="caption-attachment-30206" src="https://www.infracom.com.sg/wp-content/uploads/2023/07/img4-2.png" alt="Figure 4: Config resource timeline" width="780" class="size-full wp-image-30206"> <p id="caption-attachment-30206" class="wp-caption-text">Figure 4: Config resource timeline</p> </div> <h2>Summary</h2> <p>You can use the <a href="https://github.com/aws-samples/aws-cfn-for-optimizing-aws-config-for-aws-security-hub" target="_blank" rel="noopener">CloudFormation template</a> provided in this post to optimize the AWS Config configuration recorder for Security Hub to reduce your AWS Config costs and to reduce the amount of data produced, stored, and analyzed by AWS Config. Alternatively, you can run AWS Config with the default settings or use the AWS Config console or scripts to further customize your configuration to fit your use case. Visit <a href="https://aws.amazon.com/security-hub/getting-started/" target="_blank" rel="noopener">Getting started with AWS Security Hub</a> to learn more about managing your security alerts.</p> <p> <br>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->