Post Syndicated from Priyanka Prakash original https://aws.amazon.com/blogs/security/prepare-for-consolidated-controls-view-and-consolidated-control-findings-in-aws-security-hub/
Currently, AWS Security Hub identifies controls and generates control findings in the context of security standards. Security Hub is aiming to release two new features in the first quarter of 2023 that will decouple controls from standards and streamline how you view and receive control findings.
The new features to be released are consolidated controls view and consolidated control findings. Consolidated controls view will provide you with a comprehensive view within the Security Hub console of your controls across security standards. This feature will also introduce a single unique identifier for each control across security standards.
Consolidated control findings will streamline your control findings. When this feature is turned on, Security Hub will produce a single finding for a security check even when a check is shared across multiple standards. This will reduce finding noise and help you focus on misconfigured resources in your AWS environment.
In this blog post, I’ll summarize the upcoming features, the benefit they bring to your organization, and how you can take advantage of them upon release.
Feature 1: Consolidated controls view
Currently, controls are identified, viewed, and managed in the context of individual security standards. In the Security Hub console, you first have to navigate to a specific standard to see a list of controls for that standard. Within the AWS Foundational Security Best Practices (FSBP) standard, Security Hub identifies controls by the impacted AWS service and a unique number (for example, IAM.1). For other standards, Security Hub includes the standard as part of the control identifier (for example, CIS 1.1 or PCI.AutoScaling.1).
After the release of consolidated controls view, you will be able to see a consolidated list of your controls from a new Controls page in the Security Hub console. Security Hub will also assign controls a consistent security control ID across standards. Following the current naming convention of the AWS FSBP standard, control IDs will include the relevant service and a unique number.
For example, the control AWS Config should be enabled is currently identified as Config.1 in the AWS FSBP standard, CIS 2.5 in the Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0, CIS 3.5 in the CIS AWS Foundations Benchmark v1.4.0, and PCI.Config.1 in the Payment Card Industry Data Security Standard (PCI DSS). After this release, this control will have a single identifier called Config.1 across standards. The single Controls page and consistent identifier will help you rapidly discover misconfigurations with minimal context-switching.
You’ll be able to enable a control for one or more enabled standards that include the control. You’ll also be able to disable a control for one or more enabled standards. As before, you can enable the standards that apply to your business case.
Changes to control finding fields and values after the release of consolidated controls view
After the release of consolidated controls view, note the following changes to control finding fields and values in the AWS Security Finding Format (ASFF).
| ASFF field | What changes after consolidated controls view release | Example value before consolidated controls view release | Example value after consolidated controls view release |
| Compliance.SecurityControlId | A single control ID will apply across standards. ProductFields.ControlId will still provide the standards-based control ID. | Not applicable (new field) | EC2.2 |
| Compliance.AssociatedStandards | Will show the standards that a control is enabled for. | Not applicable (new field) | [{“StandardsId”: “aws-foundational-security-best-practices/v/1.0.0”}] |
| ProductFields.RecommendationUrl | This field will no longer reference a standard. | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation |
| Remediation.Recommendation.Text | This field will no longer reference a standard. | “For directions on how to fix this issue, please consult the AWS Security Hub PCI DSS documentation.” | “For instructions on how to fix this issue, see the AWS Security Hub documentation for EC2.2.” |
| Remediation.Recommendation.Url | This field will no longer reference a standard. | https://docs.aws.amazon.com/console/securityhub/PCI.EC2.2/remediation | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation |
Feature 2: Consolidated control findings
Currently, multiple standards contain separate controls for the same security check. Security Hub generates a separate finding per standard for each related control that is evaluated by the same security check.
After release of the consolidated control findings feature, you’ll be able to unify control findings across standards and reduce finding noise. This, in turn, will help you more quickly investigate and remediate failed findings. When you turn on consolidated control findings, Security Hub will generate a single finding or finding update for each security check of a control, even if the check is shared across multiple standards.
For example, after you turn on the feature, you will receive a single finding for a security check of Config.1 even if you’ve enabled this control for the AWS FSBP standard, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, and PCI DSS. If you don’t turn on consolidated control findings, you will receive four separate findings for a security check of Config.1 if you’ve enabled this control for the AWS FSBP standard, CIS AWS Foundations Benchmark v1.2.0, CIS AWS Foundations Benchmark v1.4.0, and PCI DSS.
Changes to control finding fields and values after turning on consolidated control findings
If you turn on consolidated control findings, note the following changes to control finding fields and values in the ASFF. These changes are in addition to the changes previously described for consolidated controls view.
| ASFF field | What changes after consolidated controls view release | Example value before consolidated controls view release | Example value after consolidated controls view release |
| GeneratorId | This field will no longer reference a standard. | aws-foundational-security-best-practices/v/1.0.0/Config.1 | security-control/Config.1 |
| Title | This field will no longer reference a standard. | PCI.Config.1 AWS Config should be enabled | { |
| Id | This field will no longer reference a standard. | arn:aws:securityhub:eu-central-1:123456789012:subscription/pci-dss/v/3.2.1/PCI.IAM.5/finding/ab6d6a26-a156-48f0-9403-115983e5a956 | arn:aws:securityhub:eu-central-1:123456789012:security-control/iam.9/finding/ab6d6a26-a156-48f0-9403-115983e5a956 |
| ProductFields.ControlId | This field will be removed in favor of a single, standard-agnostic control ID. | PCI.EC2.2 | Removed. See Compliance.SecurityControlId instead. |
| ProductFields.RuleId | This field will be removed in favor of a single, standard-agnostic control ID. | 1.3 | Removed. See Compliance.SecurityControlId instead. |
| Description | This field will no longer reference a standard. | This PCI DSS control checks whether AWS Config is enabled in the current account and region. | This AWS control checks whether AWS Config is enabled in the current account and region. |
| Severity | Security Hub will no longer use the Product field to describe the severity of a finding. | “Severity”: { “Product”: 90, “Label”: “CRITICAL”, “Normalized”: 90, “Original”: “CRITICAL” }, |
“Severity”: { “Label”: “CRITICAL”, “Normalized”: 90, “Original”: “CRITICAL” }, |
| Types | This field will no longer reference a standard. | [“Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS”] | [“Software and Configuration Checks/Industry and Regulatory Standards”] |
| Compliance.RelatedRequirements | This field will show related requirements across associated standards. | [ “PCI DSS 10.5.2”, “PCI DSS 11.5”] |
[ “PCI DSS v3.2.1/10.5.2”, “PCI DSS v3.2.1/11.5”, “CIS AWS Foundations Benchmark v1.2.0/2.5”] |
| CreatedAt | Format will remain the same, but value will reset when you turn on consolidated control findings. | 2022-05-05T08:18:13.138Z | 2022-09-25T08:18:13.138Z |
| FirstObservedAt | Format will remain the same, but value will reset when you turn on consolidated control findings. | 2022-05-07T08:18:13.138Z | 2022-09-28T08:18:13.138Z |
| ProductFields.RecommendationUrl | This field will be replaced by Remediation.Recommendation.Url. | https://docs.aws.amazon.com/console/securityhub/EC2.2/remediation | Removed. See Remediation.Recommendation.Url instead. |
| ProductFields.StandardsArn | This field will be replaced by Compliance.AssociatedStandards. | arn:aws:securityhub:::standards/aws-foundational-security-best-practices/v/1.0.0 | Removed. See Compliance.AssociatedStandards instead. |
| ProductFields.StandardsControlArn | This field will be removed because Security Hub will generate one finding for a security check across standards. | arn:aws:securityhub:us-east-1:123456789012:control/aws-foundational-security-best-practices/v/1.0.0/Config.1 | Removed. |
| ProductFields.StandardsGuideArn | This field will be replaced by Compliance.AssociatedStandards. | arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 | Removed. See Compliance.AssociatedStandards instead. |
| ProductFields.StandardsGuideSubscriptionArn | This field will be removed because Security Hub will generate one finding for a security check across standards. | arn:aws:securityhub:us-east-2:123456789012:subscription/cis-aws-foundations-benchmark/v/1.2.0 | Removed. |
| ProductFields.StandardsSubscriptionArn | This field will be removed because Security Hub will generate one finding for a security check across standards. | arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0 | Removed. |
| ProductFields.aws/securityhub/FindingId | This field will no longer reference a standard. | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:subscription/aws-foundational-security-best-practices/v/1.0.0/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 | arn:aws:securityhub:us-east-1::product/aws/securityhub/arn:aws:securityhub:us-east-1:123456789012:security-control/Config.1/finding/751c2173-7372-4e12-8656-a5210dfb1d67 |
New values for customer-provided finding fields after turning on consolidated control findings
When you turn on consolidated control findings, Security Hub will archive the existing findings and generate new findings. To view archived findings, you can visit the Findings page of the Security Hub console with the Record state filter set to ARCHIVED, or use the GetFindings API action. Updates you’ve made to the original finding fields in the Security Hub console or by using the BatchUpdateFindings API action will not be preserved in the new findings (if needed, you can recover this data by referring to the archived findings).
Note the following changes to customer-provided control finding fields when you turn on consolidated control findings.
| Customer-provided ASFF field | Description of change after turning on consolidated control findings |
| Confidence | Will reset to empty state. |
| Criticality | Will reset to empty state. |
| Note | Will reset to empty state. |
| RelatedFindings | Will reset to empty state. |
| Severity | The default severity of the finding (matches the severity of the control). |
| Types | Will reset to standard-agnostic value. |
| UserDefinedFields | Will reset to empty state. |
| VerificationState | Will reset to empty state. |
| Workflow | New failed findings will have a default value of NEW. New passed findings will have a default value of RESOLVED. |
How to turn consolidated control findings on and off
Follow these instructions to turn consolidated control findings on and off.
New accounts
If you enable Security Hub for an AWS account for the first time on or after the time when consolidated control findings is released, by default consolidated control findings will be turned on for your account. You can turn it off at any time. However, we recommend keeping it turned on to minimize finding noise.
If you use the Security Hub integration with AWS Organizations, consolidated control findings will be turned on for new member accounts if the administrator account has turned on the feature. If the administrator account has turned it off, it will be turned off for new subordinate AWS accounts (member accounts) as well.
Existing accounts
If your Security Hub account already existed before consolidated control findings is released, your account will have consolidated control findings turned off by default. You can turn it on at any time. We recommend turning it on to minimize finding noise. If you use AWS Organizations, consolidated control findings will be turned on or off for existing member accounts based on the settings of the administrator account.
To turn consolidated control findings on and off (Security Hub console)
- In the navigation pane, choose Settings.
- Choose the General tab.
- For Controls, turn on Consolidated control findings. Turn it off to receive multiple findings for each standard.
- Choose Save.
To turn consolidated control findings on and off (Security Hub API)
- Run the UpdateSecurityHubConfiguration API action. Use the new ControlFindingGenerator attribute to change whether an account uses consolidated control findings:
- To turn on consolidated control findings, set ControlFindingGenerator equal to SECURITY_CONTROL.
- To turn it off, set ControlFindingGenerator equal to STANDARD_CONTROL.
To turn consolidated control findings on and off (AWS CLI)
- In the AWS CLI, run the update-security-hub-configuration command. Use the new control-finding-generator attribute to change whether an account uses consolidated control findings:
- To turn on consolidated control findings, set control-finding-generator equal to SECURITY_CONTROL.
- To turn it off, set control-finding-generator equal to STANDARD_CONTROL.
API permissions for consolidated control findings
You’ll need AWS Identity and Access Management (IAM) permissions for the following new API operations in order for consolidated control findings to work as expected:
- BatchGetSecurityControls – Returns account and Region-specific data about a batch of controls.
- ListSecurityControlDefinitions – Returns information about controls that apply to a specified standard.
- ListStandardsControlAssociations – Identifies whether a control is currently associated with or dissociated from each enabled standard.
- BatchGetStandardsControlAssociations – For a batch of controls, identifies whether each control is currently associated with or dissociated from a specified standard.
- BatchUpdateStandardsControlAssociations – Used to associate a control with enabled standards that include the control, or to dissociate a control from enabled standards. This is a batch substitute for the UpdateStandardsControl API action if an administrator doesn’t want to allow member accounts to associate or dissociate controls.
- BatchGetControlEvaluations (private API) – Retrieves the enablement and compliance status of a control, the findings count for a control, and the overall security score for controls.
How to prepare for control finding field and value changes
If your workflows don’t rely on the specific format of any control finding fields, no action is required to prepare for the feature releases. We recommend that you immediately turn on consolidated control findings.
Consider waiting to turn on consolidated control findings if you currently rely on the Automated Security Response on AWS solution for predefined response and remediation actions. That solution does not yet support consolidated control findings. If you turn consolidated control findings on now, actions you deployed using the Automated Security Response solution will no longer work.
If you rely on the specific format of any control finding fields (for example, for custom automation), carefully review the upcoming finding field and value changes to ensure that your workflows will continue to function as intended. Note that the changes noted in the first table in this post might impact you if you rely on the specified control finding fields and values.
The changes noted in the second table and third table in this post will only impact you if you turn on consolidated control findings. For example, if you rely on ProductFields.ControlId, GeneratorId, or Title, you’ll be impacted if you turn on consolidated control findings. As another example, if you’ve created an Amazon CloudWatch Events rule that initiates an action for a specific control ID (such as invoking an AWS Lambda function if the control ID equals CIS 2.7), you’ll need to update the rule to use CloudTrail.2, the new Compliance.SecurityControlId field for that control.
If you’ve created custom insights by using the control finding fields or values that will change (see previous tables), we recommend updating those insights to use the new fields or values.
Conclusion
This post covered the control finding fields and values that will change in Security Hub after release of the consolidated controls view and consolidated control findings features. We recommend that you carefully review the changes and update your workflows to start using the new fields and values as soon as the features become available.
For more information about the upcoming changes, see the Security Hub user guide, which includes value changes for GeneratorId , control title changes, and sample control findings before and after the upcoming feature releases.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the Security, Identity, & Compliance re:Post or contact AWS Support.
Want more AWS Security news? Follow us on Twitter.