aws-samples / aws-security-hub-workshop Goto Github PK

For a simpler participant experience, it would be great if AWS published the deployment files to a public S3 bucket that could be used to deploy the CloudFormation stacks. Many other workshops and AWS solutions take this approach and it saves setup time and eliminates potential issues during deployment (i.e. accidentally copying the files into a /deploy prefix in the bucket, which then causes an Access Denied error when attempting to launch with the URL supplied in the instructions.

I have tested building this stack from a new account and auto enabling of services.
GuardDuty fails on Auto Enable even with new accounts never accessing the account.
SH and Config also fail on the same process.

I found that going to SH on a fresh new account still shows it as enabled by default.
Config and GuardDuty do not however the CFT enable feature is generating an error so still created the Config rules manually and set Config auto enable to No in order to build this stack successful.

Module 1: Security Hub Walkthrough -> Multi Account Hierarchy

It appears that the Email address field is now a required field before one can add an account (even when pressing as suggested

The steps/guidance requires an update to align

Module 1: Security Hub Walkthrough

Click View Results for CIS AWS Foundations Benchmark v1.2.0.

Screenshots and steps to be adjusted to reflected the updated Security Hub standards UI for Security Standards

The updated UI is as follows:

Module 3: Remediation and Response CIS Benchmark and Custom Action

Deploy remediation playbooks for CIS Benchmarks
Deploy remediation playbooks via CloudFormation
Download CloudFormation template from GitHub.

Suggest that the CloudFormation template hyperlink is updated to open in new tab/window

I have just downloaded https://github.com/aws-samples/aws-security-hub-workshop/blob/master/deploy/aws-security-hub-workshop-deploy.zip and there are five(6) .zip files, five(5) .json files and one(1) yaml file, however the workshop says: Do not proceed unless you have five(5) .zip files and five(5) .json files.

This might create confusion, please have a look.

Currently the guide does not advise the reader to what for CREATE_COMPLETE of the SecurityHub-CISPlaybooks Cloudformation deployment before moving onto the next step (which is dependent on it's completion).

Module 3: Remediation and Response CIS Benchmark and Custom Action

Isolate the security group on an EC2 Instance

1. In the Description tab for the instance record the name of the current security group.

The EC2 UI has been updated, and the Security Group is no longer shown at this location. The user would need to click the 'Security' tab, then take note of the Security Group name

Module 3: Remediation and Response CIS Benchmark and Custom Action

Copy and paste in the custom event pattern below. Use the ARN you recorded for your Security Hub Custom Action

{ 
"source": [ 
    "aws.securityhub" 
  ], 
  "detail-type": [ 
    "Security Hub Findings - Custom Action" 
  ], 
  "resources": [ 
     "arn:aws:securityhub:us-east-1:[YOUR-ACCOUNT-ID]:action/custom/IsolateInstance" 
  ] 
} 

In the above sample a user may potentially substitute their AWS account ID (rather than replace with the full arn) - which would result in a failure if they were not doing the lab in us-east-1

There is something similar in Module 4.

When colleagues and I ran the workshop with ~20 people in the past several weeks, ~5 of the participants inadvertently manually enabled some of the security services when checking the status of the services. When they attempted to create the CloudFormation stack with the parameters set to "Y" to enable the services, they encountered stack creation failures.

Suggested fix

Clarify that when using a new AWS account, you do not need to check the current status of the security services. Instead, you can proceed directly to the CloudFormation stack creation section.

Additionally, emphasize that the user should specify "Yes-..." for the security service parameters in the stack when they're using a new account.

Double and in the integration section:

Integrations
In this section, we will walk through the Security Hub side of enabling a partner integration. Security Hub provides the ability to integrate security findings from AWS services and third-party products. For third-party products Security Hub gives you the ability to selectively enable the integrations and and provides a link to the configuration instructions related to the third-party product.

Module 3: Remediation and Response CIS Benchmark and Custom Action

Please wait a moment for the creation to complete or progress to start, then proceed to Step 11.

However, the steps restart from 1

Module 2: Custom Insights and Custom Findings

The filter operator of 'EQUALS' is not available in current UI - the equivalent is now 'IS'

In the posting to slack lab, is it expected that only one finding can be posted at a time? I selected multiple and selected the "post to slack" action but only the first out of the multiple selected gets posted in slack and not all.

Currently the Slack webhook is being stored as an environment variable within the Lambda function. Consider changing to store in either SSM Parameter Store as a SecureString or within AWS Secrets Manager, and have the Lambda function fetch this secret at run time.