Configure AWS Security Hub monitoring

Amazon Web Services® (AWS) Security Hub provides a unified and comprehensive view of your security state in AWS, and helps you check your environment against security industry standards and best practices. AWS Security Hub collects security data from all of your AWS accounts, services, and supported third-party partner products to help you analyze your security trends and identify the highest priority security issues. See Amazon's AWS Security Hub user guide for more information. AWS Security Hub is an optional Arctic Wolf integration.

Before you begin

To complete this process, you must:

• Have administrative access to the AWS Management Console.

• Set an AWS Security Hub administrator account as the delegated administrator account by following Amazon’s Designating a Security Hub administrator account steps.

• Complete Configure AWS CloudTrail Event Monitoring.

• Download awn-aws-securityhub-export.yaml to use in Configure AWS Security Hub.

  Note: To deploy the AWS Security Hub CloudFormation stack, the base Arctic Wolf stack needs to be deployed first. These stacks establish a set of protocols, such as SNS Topic and Subscription, SQS queue, and S3 bucket and lambda functions, required for Arctic Wolf to retrieve logs from your environment.

• Enable AWS Security Hub by following the steps in Amazon’s AWS Security Hub User Guide.

  Note: Ensure that you follow Amazon’s steps under Prerequisites and recommendations, and then Setting up AWS Security Hub.

• Enable AWS Configuration on all accounts.

  Note: This is required for security checks against security controls.

Configure AWS Security Hub

1. Sign in to the AWS Management Console.
2. Click Services > CloudFormation.
3. Click Create Stack > With new resources (standard).
4. On the Create stack page, click Template is ready and then click Upload a template file.
5. Under Upload a template file, choose the template that you downloaded in Before you begin. Then, click Next.
6. In the field under Stack name, enter a unique name such as AWNSecurityHub.
7. Click Next > Next.
8. Read the information about changes caused by configuring the stack, and then select the Capabilities checkbox to acknowledge the changes.
9. Click Create Stack to complete the setup.

Update Arctic Wolf GuardDuty logging

Configuring AWS Security Hub automatically enables GuardDuty findings. To prevent duplicating logs, disable Arctic Wolf GuardDuty logging:

1. Sign in to the AWS Management Console.
2. Click Services > GuardDuty.
3. Click Settings, and then navigate to Findings export options on the page.
4. Click the X beside the Arctic Wolf Logs bucket name to delete it from being a GuardDuty Finding Publishing Destination.
5. Click Delete when prompted.

Next steps

Notify your Concierge Security® Team (CST) that you have enabled the AWS Security Hub integration.