Published : 11.29.2021
Last Updated : 06.08.2022
AWS Security Hub is a cloud security posture management service that performs automated, continuous security best practice checks against your AWS resources. It aggregates your security alerts (findings) in a standardized format so that you can easily take action. Security Hub makes it simple to understand and improve your security posture with automated integrations to AWS partner products.
Now you can bring Sonrai’s unique insights into Security Hub. This integration enables organizations to monitor assets and send alerts on resource configurations, compliance violations, network security risks, and anomalous user activities across AWS environments.
The Sonrai Dig Platform runs on a patented graphing technology that continually collects data and finds identity and data risks – and then provides automated (or semi-automated) remediations. The platform then classifies the risks in separate categories. With built in operationalization features, like maturity modeling, teams see their progress in each security area over time.
A few examples of the risks that will get sent to AWS Security Hub are:
Let’s dive into how Sonrai Dig works with AWS Security Hub, and how you can monitor privilege escalation for a swimlane in your cloud environment – a critical step in improving your cloud security posture.
Sonrai Dig’s integration with AWS Security Hub allows you to view Sonrai tickets in the Security Hub console.
Sonrai uses swimlanes – logical groupings of cloud assets defined by the end customer, with owners and relevant users associated – to configure your choices with the Security Hub integration. The integration also enables users to see all of their Sonrai alerts within Security Hub with added context, including when findings have been solved within Sonrai, giving you a comprehensive log of activity across your cloud.
Here’s what Sonrai brings to the table:
Sonrai Dig gathers logs and audit data from multiple AWS sources, applies patented analytics to determine risks, and sends findings to AWS Security Hub.
The above architecture diagram shows a high-level representation of the meta-data flow from the AWS Cloud Environment. When you configure the integration for Sonrai Dig and Azure Sentinel, the process looks like this:
To run this solution, you must have the following prerequisites:
Given the sheer amount of identities (people and non-people) in a typical AWS deployment, evaluating privilege escalation risk is challenging. There are myriad factors: Service control policies, permission boundaries, allow/deny statements, notPrincipal, notAction, resource statements, conditions, assumed roles, group membership, SSO users with multiple roles and resource policies (S3, KMS, etc.) – all making it hard to understand the effective permissions of an individual identity. It’s a problem that cannot be solved by evaluating a single policy or calling an AWS API.
Understanding escalation risk requires modeling trust relationships that allow an identity, resource (compute, container, serverless function), identity provider (SSO, Hashicorp Vault), or AWS Service to assume a role. In Sonrai, these models are created by the graph. Analytics are then run across the graph to calculate all effective permissions of an identity. The resulting records include the chain of identities allowing permission, what account the permission is applicable in, when the permission was last used, and how many times it has been used.
When the Sonrai analytics determine an entity’s effective permissions via privilege escalation violate the policies you have in place, an alert is generated in the Sonrai system. Depending on your remediation setup, this may be resolved in Sonrai and the record of remediation will appear within Security Hub, or the alert will appear as a finding for further processing. Either way, the Sonrai graphing technology has unearthed another hidden path to policy violation that can’t be seen in traditional identity management tools.
Sonrai enriches and extends Security Hub’s view of your security posture. We all want a clear picture of everything happening across our entire AWS footprint. By digesting all cloud logs and metadata in a unified format, Sonrai enables a much richer view of identity & data risk.
Monitoring issues like privilege escalation & remediating issues fast requires a full graph of access paths, as well as the frame of reference for the environment to reduce false positives. Sonrai completes the Security Hub vision of a singular command center for platform, identity, and data security.