AWS Security Hub offers a centralized solution for aggregating and analyzing security findings from various sources, including AWS Config. While AWS Security Hub doesn’t directly evaluate compliance policies, it leverages AWS Config to receive failed compliance rules reports every 12 hours. In this blog post, we will explore two methods to re-trigger Config rules, along with best practices for managing findings in AWS Security Hub.
Re-Triggering AWS Config Rules: To re-evaluate AWS Config rules, you can follow these steps:
- Disable/Enable the CIS Standard (Not Recommended): One approach is to disable and enable the CIS standard within AWS Security Hub. However, it’s important to note that this method is not suitable for routine use and should be exercised cautiously. It is primarily intended for testing automated remediations.
- Identifying and Re-Evaluating the Rule: Another method involves identifying the related AWS Config rule associated with a finding. By examining the finding JSON, look for the “RelatedAWSResources:0/name” and “RelatedAWSResources:0/type” fields. Once you have the rule name, such as “securityhub-restricted-ssh,” navigate to the AWS Config console and search for the rule. Open the rule, click “Actions,” and select “Re-evaluate” to initiate a manual re-evaluation of the rule.
Efficient Management of Findings: In order to streamline the management of findings in AWS Security Hub, consider the following practices:
- Workflow Status: Utilize the Workflow Status field to track the status of findings that have been remediated. Set the Workflow Status to “Resolved” for findings that have been addressed, indicating that the necessary steps have been taken to resolve the issue.
- Notes and Documentation: Make use of the Notes field to record the steps taken during the remediation process. By documenting the actions performed, you provide a reference for future analysis and facilitate collaboration among team members.
- Reduced Re-evaluation: By properly setting the Workflow Status and adding comprehensive notes, you can minimize the need for frequent re-evaluation of the same findings. While the status might still appear as “FAILED” until the next Config rule evaluation, the detailed documentation serves as evidence of remediation efforts.
Effectively managing AWS Config rules and findings is crucial for maintaining a secure and compliant AWS environment. AWS Security Hub acts as a central hub for consolidating findings, and AWS Config plays a vital role in reporting failed compliance rules. By understanding how to re-trigger Config rules and employing efficient management techniques in AWS Security Hub, organizations can enhance their security posture and maintain compliance standards effectively.
About The Author
