AWS Security and Compliance
SHI has developed a multi-cloud governance framework to help organizations achieve governance at scale and accelerate cloud usage in a controlled, secure, compliant, and consistent way.
The SHI Cloud Governance Framework is built upon a set of industry best practices, standards, frameworks, and benchmarks.
The SHI Cloud Governance Framework can be applied regardless of your maturity, if you’re new to the cloud, or are an existing cloud customer.
Phase 1 of the SHI Cloud Governance Framework helps to establish visibility and awareness of security and compliance issues within the cloud environment in order to strengthen your overall security posture.
The purpose of this document is to provide a configuration guide for enabling key AWS Services and integrating those services with SHI One.
The implementation of the services covered in this guide will strengthen your AWS security posture and establish a set of foundational best practices as further defined in the SHI Cloud Governance Framework.
The integration of these services into SHI One provides a simplified and unified view of this information and ensures that the SHI Cloud Governance Framework Success Program can act as your concierge to help guide you towards a stronger cloud security posture.
The following section describes the prerequisites that must be met to utilize the SHI One AWS Security and Compliance Integration:
- AWS Organizations has been enabled and an organizational hierarchy has been established
- All features have been enabled for the Organization
Note: If you already purchased AWS from SHI, you can ensure these prerequisites are met by submitting a Service Request to “Enable AWS Organizations”
In order to achieve the goal of strengthening the security posture of your environment, SHI recommends the following four step process that is detailed in this document:
- Enable Amazon GuardDuty
- Enable AWS Config
- Enable AWS Security Hub
- Configure SHI One Integration
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Once GuardDuty is enabled, it starts monitoring your environment immediately. GuardDuty can be disabled at any time to stop it from processing all AWS CloudTrail events, VPC Flow Logs, and DNS logs.
The following section describes the necessary configuration of Amazon GuardDuty in order to fully utilize this AWS capability and the SHI One AWS Security and Compliance Integration.
- Enable GuardDuty in each account and region targeted for data collection
- For a step-by-step guide see: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
- Designate an AWS account as a Delegated Administrator in each region where GuardDuty has been enabled
- For a step-by-step guide see: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
If AWS Control Tower has been configured, you should delegate your Audit Account as the Delegated Administrator Account.
Note: If you already purchase AWS from SHI, you can designate your Delegated Administrator Account by submitting a Service Request to “Register a GuardDuty Delegated Administrator”
GuardDuty prices are based on the number of analyzed AWS CloudTrail events and the volume of Amazon Virtual Private Compute (Amazon VPC) flow logs and Domain Name System (DNS) logs. These services are directly integrated with GuardDuty, which means you don’t have to enable or pay for them separately. GuardDuty also optimizes cost by applying smart filters and analyzing only a subset of logs relevant to threat detection.
Important details to understand:
- Pricing varies by region
- Pricing is broken down into several components:
- AWSCloudTrailManagementEventAnalysis
- AWSCloudTrailS3DataEventAnalysis
- Applicable only if S3 Protection is enabled for the account
- VPCFlowLogandDNSLogAnalysis
For the most up to date pricing, visit: https://aws.amazon.com/guardduty/pricing/
Amazon GuardDuty processes 40,000,000 AWS CloudTrail management events and 200,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 2,000 GB of VPC flow logs and 1,000 GB of DNS query logs are processed, for a total of 3,000 GB volume of logs
- 40 management events x $4.00 (40 million management events, priced per million)
- 500 GB logs x $1.00 (first 500 GB)
- 2,000 GB logs x $0.50 (next 2,000 GB)
- 500 GB logs x $0.25 (last 500 GB)
Total Cost per month: $1,945
Amazon GuardDuty processes 5,000,000 AWS CloudTrail management events and 1,000,000,000 CloudTrail S3 data events in the US East (N. Virginia) region. In addition, 200 GB of VPC flow logs and 50 GB of DNS query logs are processed, for a total of 250 GB volume of logs500 security checks
- 5 management events x $4.00 (5 million management events, priced per million)
- 500 S3 data events x $0.80 (first 500 million data events, priced per million)
- 500 S3 data events x $0.40 (next 500 million data events, priced per million)
- 250 GB logs x $1.00 (first 500 GB)
Total Cost per month: $870.00
- Overview
- Enabling GuardDuty
- Delegating an Organization Admin
- Pricing
- API Reference
AWS Config is a service that enables the assessment, audit, and evaluation of the configurations of AWS resources.
Once AWS Config is enabled, it continuously monitors and records AWS resource configurations and allows automated evaluation of recorded configurations against desired configurations.
The following section describes the necessary configuration of AWS Config in order to fully utilize this AWS capability and the SHI One AWS Security and Compliance Integration.
For a step-by-step guide, see:
Best Practice: CIS recommends enabling AWS Config in all regions
This step must be done via the CLI. For a step-by-step guide, see:
Note: If you already purchase AWS from SHI, you can designate your Delegated Administrator Account by submitting a Service Request to “Register an AWS Config Delegated Administrator”
With AWS Config, you are charged based on the number of configuration items recorded, the number of active AWS Config rule evaluations, and the number of conformance pack evaluations in your account.
A configuration item is a record of the configuration state of a resource in your AWS account.
An AWS Config rule evaluation is a compliance state evaluation of a resource by an AWS Config rule in your AWS account, and a conformance pack evaluation is the evaluation of a resource by an AWS Config rule within the conformance pack.
For the most up to date pricing, visit: https://aws.amazon.com/config/pricing/
Assuming the following usage in US East (N.Virginia) Region in a given month.
- 10,000 Configuration items recorded across various resource types
- 10,000 x $0.003
- $30
- 50,000 Config rule evaluations across all individual Config rules existing in the account
- First 100,000 evaluations at $0.001 each
- $50
- 5 conformance packs, each containing 10 Config rules with 300 rule evaluations per Config rule (i.e. 5 x 10 x 300 = 15000 evaluations total)
- First 1,000,000 conformance pack evaluations at $0.0012 each
- $18
Total Cost per Month: $98
- Overview
- Enabling Config
- Delegating an Organization Admin
- Conformance Packs
- Pricing
- API Reference
AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
Once AWS Security Hub is enabled, findings from various AWS services and partner products are aggregated in a standardized format so that you can more easily take action on them.
The following section describes the necessary configuration of AWS Security Hub in order to fully utilize this AWS capability and the SHI One AWS Security and Compliance Integration.
For a step-by-step guide, see:
Designate an AWS account as a Delegated Administrator in each region where Security Hub has been enabled
For a step-by-step guide, see:
If AWS Control Tower has been configured, you should delegate your Audit Account as the Delegated Administrator Account.
Note: If you already purchase AWS from SHI, you can designate your Delegated Administrator Account by submitting a Service Request to “Register an AWS Security Hub Delegated Administrator”
For a step-by-step guide, see:
Best Practice: SHI recommends enabling CIS AWS Foundations Benchmark and AWS Foundational Security Best Practices
Add member accounts to the Delegated Administrator Account in each region targeted for data collection
For a step-by-step guide, see:
Note: You cannot enable an account if it is already a member account for a different administrator account; you also cannot enable an account that is currently suspended
For the most up to date pricing, visit:
One region, US East (Ohio), and one account in your AWS deployment. AWS Security Hub performs 250 security checks per account/region/month. Security Hub also aggregates 5,000 finding ingestions per account/region/month.
- 250 security checks
- 250 x 1 region x $0.0010 per check (first 100,000 checks tier)
- $0.25
- 5,000 finding ingestions
- 5,000 x 1 region x $0.00 per event (first 10,000 events free tier)
- $0.00
Total Cost per Month: $0.25
You have two regions, US East (Ohio) and Europe (Ireland), and 20 accounts in your AWS deployment. AWS Security Hub performs 500 security checks per account/region/month. Security Hub also aggregates 10,000 finding ingestions per account/region/month.
- 500 security checks
- 500 x 2 region x $0.0010 per check (first 100,000 checks tier) x 200 accounts
- $600.00
- 10,000 findings ingestions
- 5,000 x 2 region x $0.00 per event (first 10,000 events free tier) x 20 accounts
- $0.00
Total Cost per Month: $20.00
You have three regions, US East (Ohio), Europe (Ireland), and Asia Pacific (Sydney), and 200 accounts in your AWS deployment. AWS Security Hub performs 1,000 security checks per account/region/month. Security Hub also aggregates 50,000 finding ingestions per account/region/month.
- 1,000 security checks
- 1,000 x 3 region x $0.0010 per check (first 100,000 checks tier) x 200 accounts
- $600.00
- 10,000 findings ingestions
- 10,000 x 3 region x $0.00 per event (first 10,000 events free tier) x 200 accounts
- $0.00
- 40,000 findings ingestions
- 40,000 x 3 region x $0.00003 per event (over 10,000 events free tier) x 200 accounts
- $720.00
Total Cost per Month: $1320.00
- Overview
- Enabling Security Hub
- Delegating an Organization Admin
- Pricing
- API Reference
Once SHI One AWS Security & Compliance is enabled, aggregated findings from AWS Security Hub will be visible from within SHI One. The SHI Cloud Governance Framework Customer Success program will guide you through the findings, help you identify priority items, and assist with recommending remediation strategies to strengthen your security posture.
The following section describes the necessary configuration to integrate your AWS Security Hub into SHI One and details the permissions necessary to ensure proper functionality of the Security and Compliance Integration.
To utilize the Security and Compliance Integration to its fullest capabilities, an IAM role containing the permissions outlined in this section should be pushed to an AWS account that aggregates Security Hub findings for the AWS Organization.
The necessary IAM role can be created via CloudFormation with the following template:
- Click the following link:
- Click Next
- Enter an External ID
- It must adhere to the following parameters:
- Any string of random numbers
- Alphanumeric without whitespaces
- Minimum of 2 characters
- Maximum of 1,224 characters
- Save this External ID as it will be needed for subsequent steps
- Click Next
- Click Next
- Check the checkbox "I acknowledge that AWS CloudFormation might create IAM resources with custom names"
- Click Create Stack
- Record the RoleARN and External ID
- On the lefthand sidebar, navigate to Settings -> Integrations
- Click the three dots in the upper right corner of the AWS Security & Compliance box
- If you don’t see AWS Security & Compliance, first confirm that you have an AWS contract visible under Services -> Contracts as you may not yet be fully onboarded to SHI One
- Alternatively, submit a support request via Support Center -> Submit Request
- Click Add New
- Populate the form with the RoleARN and External ID from the previous steps
- Click Test
- Click Save
- Repeat steps 3-7 until all have been added
- Verify that the slider on the right of the AWS Security & Compliance box is orange/activated
- Click the AWS Security & Compliance box and verify that each slider is orange/activated
Note that it takes AWS up to 24 hours to start sending data to SHI One.
SHI collects data daily from the AWS Security Hub API. Currently there is no AWS charge for this API usage.
If the integration doesn't show up on the integrations page or you are unable to enable it:
- Log a Service Request as this could potentially be a site-wide issue
If you have enabled the integration and your data doesn't show up:
- Verify that it has been at least 24 hours as collection occurs daily
- Verify that you have deployed a role with the correct permissions as documented
- Re-enter your information (ARN and External ID) on the integrations page, which can be found where you launched the CloudFormation template for the role
- Validate that the requisite configuration as documented has been met
If your data is incomplete or you are missing data for certain accounts:
- Make sure the services are configured for these accounts:
- GuardDuty
- Config
- Security Hub
- Make sure you have those accounts as members of the Security Hub in the aggregator/Security Account
Note: If you encounter an issue not addressed within this section, please submit a support request via Support Center -> Service Request
