“Simple to activate these compliance checks automatically.”
Amazon says its AWS Security Hub is now generally available for all customers, six months after its beta launch late last year.
AWS Security Hub acts as a central command centre that consolidates findings from AWS myriad security services, including intrusion detection findings from Amazon GuardDuty, vulnerability scans from Amazon Inspector, and S3 bucket policy findings from Amazon Macie.
It also consolidates findings from 30 other third-party security tools. All findings are stored for 90 days.
The system lets user run continuous compliance checks using industry standards and best practices as a guideline. The release comes as users have struggled to centrally monitor security across AWS’s dizzying amount of features and third-party applications that can be deployed by an organisation.
The first 100,000 checks per month will cost $0.0010 per check, AWS said. At over 500,000 compliance checks per month that cost halves. When it comes to finding ingestion events associated with Security Hub’s compliance checks, the service is free up to 10,000 checks; $0.00003 per event thereafter.
Dan Plastina, Vice President for External Security Services at AWS said in a release: “AWS Security Hub is the glue that connects what AWS and our security partners do to help customers manage and reduce risk. By combining automated compliance checks, the aggregation of findings from more than 30 different AWS and partner sources, and partner-enabled response and remediation workflows, AWS Security Hub gives customers a simple way to unify management of their security and compliance.”
The release comes as AWS continues to ratchet up its security offering, adding 239 new security features in 2018 alone.
AWS Security Hub
The AWS Security Hub uses GuardDuty, AWS’ continuous security monitoring software that processes an average of 92.7 million flow log records per second.
To do this it uses machine learning to identify suspicious, unexpected activity or unauthorised access. The software also compares against stored lists containing malicious IPs and domains. If the software detects a sudden escalation of privileges it flags the activity as suspect.
The AWS Security Hub is certified with all the standard security certifications from ISO 27001 to PCI DSS Level 1.
The hub pulls in data from different sources using a standard findings format in order to erase the time spent cleaning and converting data. The AWS Security Hub works in conjunction with other AWS applications such as AWS Lambda which lets user mitigate risks with executed automated actions.
AWS rolled out Pokémon International Company, creators of the mobile application Pokémon GO, as a case study. The company uses AWS Security Hub to support compliance.
Jacob Bornemann, Senior Information Security Engineer at the company said: “The Pokémon International Company faces a wide variety of regulations and compliance requirements that govern how our AWS workloads must be managed.”
“We were considering building out our own compliance rules for the CIS AWS Foundations Benchmark, but AWS Security Hub made it simple to activate these compliance checks automatically.”
For customers concerned at the security of AWS’s own infrastructure, the company says it uses its own silicon with trust enclaves built into chips, hardware crypto accelerators built into cards and conducts regular physical and virtual penetration testing.
As AWS’s CISO Steve Schmidt said at a press Q&A following his “State of Security” talk at Re:Invent late last year: “We don’t trust suppliers: we replace the firmware we get on all of our devices. On every single machine. If its got BIOS, UEFI, it all gets replaced. Some firmware in GPUs is not accessible so we replace with firmware that we’ve validated is functioning properly and can cryptographically can prove is functioning correctly.”