AWS Security and Compliance

background shi has developed a multi cloud governance framework to help organizations achieve governance at scale and accelerate cloud usage in a controlled, secure, compliant, and consistent way the shi cloud governance framework is built upon a set of industry best practices, standards, frameworks, and benchmarks the shi cloud governance framework can be applied regardless of your maturity, if you’re new to the cloud, or are an existing cloud customer phase 1 of the shi cloud governance framework helps to establish visibility and awareness of security and compliance issues within the cloud environment in order to strengthen your overall security posture purpose the purpose of this document is to provide a configuration guide for enabling key aws services and integrating those services with shi one the implementation of the services covered in this guide will strengthen your aws security posture and establish a set of foundational best practices as further defined in the shi cloud governance framework the integration of these services into shi one provides a simplified and unified view of this information and ensures that the shi cloud governance framework success program can act as your concierge to help guide you towards a stronger cloud security posture getting started prerequisites the following section describes the prerequisites that must be met to utilize the shi one aws security and compliance integration aws organizations has been enabled and an organizational hierarchy has been established all features have been enabled for the organization https //docs aws amazon com/organizations/latest/userguide/orgs manage org support all features html https //docs aws amazon com/organizations/latest/userguide/orgs manage org support all features html note if you already purchased aws from shi, you can ensure these prerequisites are met by submitting a service request to “enable aws organizations” note if you already purchased aws from shi, you can ensure these prerequisites are met by submitting a service request to “enable aws organizations” next steps in order to achieve the goal of strengthening the security posture of your environment, shi recommends the following four step process that is detailed in this document enable amazon guardduty enable aws config enable aws security hub configure shi one integration amazon guardduty overview amazon guardduty is a threat detection service that continuously monitors aws accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation once guardduty is enabled, it starts monitoring your environment immediately guardduty can be disabled at any time to stop it from processing all aws cloudtrail events, vpc flow logs, and dns logs the following section describes the necessary configuration of amazon guardduty in order to fully utilize this aws capability and the shi one aws security and compliance integration enable amazon guardduty enable guardduty in each account and region targeted for data collection step by step guide https //docs aws amazon com/guardduty/latest/ug/guardduty settingup html designate an aws account as a delegated administrator in each region where guardduty has been enabled step by step guide https //docs aws amazon com/guardduty/latest/ug/guardduty organizations html if aws control tower has been configured, you should delegate your audit account as the delegated administrator account note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register a guardduty delegated administrator” note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register a guardduty delegated administrator” pricing guardduty prices are based on the number of analyzed aws cloudtrail events and the volume of amazon virtual private compute (amazon vpc) flow logs and domain name system (dns) logs these services are directly integrated with guardduty, which means you don’t have to enable or pay for them separately guardduty also optimizes cost by applying smart filters and analyzing only a subset of logs relevant to threat detection important details to understand pricing varies by region pricing is broken down into several components awscloudtrailmanagementeventanalysis awscloudtrails3dataeventanalysis applicable only if s3 protection is enabled for the account applicable only if s3 protection is enabled for the account vpcflowloganddnsloganalysis for the most up to date pricing, visit https //aws amazon com/guardduty/pricing/ references overview https //aws amazon com/guardduty/ enabling guardduty https //docs aws amazon com/guardduty/latest/ug/guardduty settingup html delegating an organization admin https //docs aws amazon com/guardduty/latest/ug/guardduty organizations html pricing https //aws amazon com/guardduty/pricing/ api reference https //docs aws amazon com/guardduty/latest/apireference/ aws config overview aws config is a service that enables the assessment, audit, and evaluation of the configurations of aws resources once aws config is enabled, it continuously monitors and records aws resource configurations and allows automated evaluation of recorded configurations against desired configurations the following section describes the necessary configuration of aws config in order to fully utilize this aws capability and the shi one aws security and compliance integration enable aws config enable config in each account and region targeted for data collection step by step guide https //docs aws amazon com/config/latest/developerguide/gs console html best practice cis recommends enabling aws config in all regions best practice cis recommends enabling aws config in all regions designate an aws account as a delegated administrator in each region where config has been enabled this step must be done via the cli step by step guide https //aws amazon com/blogs/mt/using delegated admin for aws config operations and aggregation/ note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register an aws config delegated administrator” note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register an aws config delegated administrator” pricing with aws config, you are charged based on the number of configuration items recorded, the number of active aws config rule evaluations, and the number of conformance pack evaluations in your account a configuration item is a record of the configuration state of a resource in your aws account an aws config rule evaluation is a compliance state evaluation of a resource by an aws config rule in your aws account, and a conformance pack evaluation is the evaluation of a resource by an aws config rule within the conformance pack for the most up to date pricing, visit https //aws amazon com/config/pricing/ references overview https //aws amazon com/config/ enabling config https //docs aws amazon com/config/latest/developerguide/gs console html delegating an organization admin https //aws amazon com/blogs/mt/deploy aws config rules and conformance packs using a delegated admin/ conformance packs https //docs aws amazon com/config/latest/developerguide/conformance pack organization apis html https //docs aws amazon com/config/latest/developerguide/cpack prerequisites html https //docs aws amazon com/config/latest/developerguide/conformance pack console html pricing https //aws amazon com/config/pricing/ api reference https //docs aws amazon com/config/latest/apireference/ aws security hub aws security hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation overview aws security hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation once aws security hub is enabled, findings from various aws services and partner products are aggregated in a standardized format so that you can more easily take action on them the following section describes the necessary configuration of aws security hub in order to fully utilize this aws capability and the shi one aws security and compliance integration enable aws security hub enable security hub in each account and region targeted for data collection step by step guide https //docs aws amazon com/securityhub/latest/userguide/securityhub enable html designate an aws account as a delegated administrator in each region where security hub has been enabled step by step guide https //docs aws amazon com/securityhub/latest/userguide/designate orgs admin account html if aws control tower has been configured, you should delegate your audit account as the delegated administrator account note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register an aws security hub delegated administrator” note if you already purchase aws from shi, you can designate your delegated administrator account by submitting a service request to “register an aws security hub delegated administrator” enable the security standards in each account and region targeted for data collection step by step guide https //docs aws amazon com/securityhub/latest/userguide/securityhub standards enable disable html best practice shi recommends enabling cis aws foundations benchmark and aws foundational security best practices best practice shi recommends enabling cis aws foundations benchmark and aws foundational security best practices add member accounts to the delegated administrator account in each region targeted for data collection step by step guide https //docs aws amazon com/securityhub/latest/userguide/orgs accounts enable html note you cannot enable an account if it is already a member account for a different administrator account; you also cannot enable an account that is currently suspended note you cannot enable an account if it is already a member account for a different administrator account; you also cannot enable an account that is currently suspended pricing for the most up to date pricing, visit https //aws amazon com/security hub/pricing/ references overview https //aws amazon com/security hub/ enabling security hub https //docs aws amazon com/securityhub/latest/userguide/securityhub enable html delegating an organization admin https //docs aws amazon com/securityhub/latest/userguide/designate orgs admin account html pricing https //aws amazon com/security hub/pricing/ api reference https //docs aws amazon com/securityhub/1 0/apireference/ shi one integration overview once shi one aws security & compliance is enabled, aggregated findings from aws security hub will be visible from within shi one the shi cloud governance framework customer success program will guide you through the findings, help you identify priority items, and assist with recommending remediation strategies to strengthen your security posture the following section describes the necessary configuration to integrate your aws security hub into shi one and details the permissions necessary to ensure proper functionality of the security and compliance integration to utilize the security and compliance integration to its fullest capabilities, an iam role containing the permissions outlined in this section should be pushed to an aws account that aggregates security hub findings for the aws organization enable shi one integration creating the necessary iam role the necessary iam role can be created via cloudformation with the following template click the following link https //console aws amazon com/cloudformation/home?region=us east 1#/stacks/new?stackname=shi security compliance role\&templateurl=https //shi msp cloudformation us east 1 s3 amazonaws com/iam roles/shi one/shi collector security compliance role yml click next enter an external id it must adhere to the following parameters any string of random numbers alphanumeric without whitespaces minimum of 2 characters maximum of 1,224 characters save this external id as it will be needed for subsequent steps click next click next check the checkbox " i acknowledge that aws cloudformation might create iam resources with custom names " click create stack record the rolearn and external id configure the shi one integration log into shi one ( https //one shi com ) on the lefthand sidebar, navigate to settings > integrations click the three dots in the upper right corner of the aws security & compliance tile if you don’t see aws security & compliance, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one if you don’t see aws security & compliance, first confirm that you have an aws contract visible under services > contracts as you may not yet be fully onboarded to shi one alternatively, submit a support request via support center > submit request alternatively, submit a support request via support center > submit request click add new populate the form with the rolearn and external id from the previous steps click test click save repeat steps 3 7 until all have been added verify that the slider in the upper right corner of the aws security & compliance tile is orange/activated click on the aws security & compliance tile and verify that each slider is orange/activated note that it takes aws up to 24 hours to start sending data to shi one pricing shi collects data daily from the aws security hub api currently there is no aws charge for this api usage troubleshooting if the integration doesn't show up on the integrations page or you are unable to enable it submit a support request as this could potentially be a site wide issue if you have enabled the integration and your data doesn't show up verify that it has been at least 24 hours as collection occurs daily verify that you have deployed a role with the correct permissions as documented re enter your information (arn and external id) on the integrations page, which can be found where you launched the cloudformation template for the role validate that the requisite configuration as documented has been met if your data is incomplete or you are missing data for certain accounts make sure the services are configured for these accounts guardduty config security hub make sure you have those accounts as members of the security hub in the aggregator/security account note if you encounter an issue not addressed within this section, please submit a support request via support center > service request note if you encounter an issue not addressed within this section, please submit a support request via support center > service request