Configure AWS Security Hub for Arctic Wolf monitoring
You can configure Amazon Web Services (AWS)® Security Hub to collect security data from all of your AWS accounts and services to help you analyze your security trends and identify the highest priority security issues.
In addition to generating control findings, configuring Security Hub also allows Arctic Wolf® to collect findings from Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS IAM Access Analyzer, and AWS Firewall Manager.
These resources are required:
- Administrative permissions for the AWS Management Console
These actions are required:
- Set an AWS Security Hub administrator account as the delegated administrator account.
For more information, see Designating a Security Hub administrator account.
- Download and extract awn-aws-securityhub-export.zip to use in Configure AWS Security Hub.
Note: To deploy the AWS Security Hub CloudFormation stack, the base Arctic Wolf stack needs to be deployed first. These stacks establish a set of protocols. For example, SNS Topic and Subscription, SQS queue, and S3 bucket and lambda functions. These protocols are required for Arctic Wolf to retrieve logs from your environment.
- Enable AWS Security Hub.
For more information, see AWS Security Hub user guide.
- Enable AWS Config on all accounts.
Note: This is required for security checks against security controls. For more information, see Configuring AWS Config.
Create the base stack
Note: If the AWS CloudTrail stack exists on this account already, you do not need to create the base stack.
- Complete Configure CloudTrail monitoring with no existing trails.
- When the stack has a status of
CREATE_COMPLETE, search for and click CloudTrail. - Select the newly created trail, and then delete it.