Security Hub Findings⚓︎
The Landing Zone Accelerator on AWS (LZA) solution includes a feature to enable AWS Security Hub, which provides a comprehensive view of the security state and helps you assess your environment against security standards and best practices. When deploying LZA, it is essential to review and address the Security Hub findings to ensure a secure environment based on your requirements. The following table provides guidance on AWS Security Hub findings that you may encounter during the deployment of LZA using sample configurations.
Note
You should regularly review and monitor new findings in AWS Security Hub, as your environment and workloads evolve over time. This guidance applies to the resources created and managed by the Landing Zone Accelerator on AWS solution. For other findings in your environment, it is recommend to follow the Security Hub controls reference.
| ID | Title | Severity | Guidance |
|---|---|---|---|
| Account.1 | Security contact information should be provided for an AWS account | Medium | This finding is generated when security contact information for an AWS account is not provided. To add an alternate contact as a security contact to your AWS account, see Adding, changing, or removing alternate contacts in the AWS Billing and Cost Management User Guide. |
| DynamoDB.4 | DynamoDB tables should be present in a backup plan | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon DynamoDB tables with prefix {ACCELERATOR_PREFIX}: - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}AcceleratorConfigTableXXXXX - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}NewCTAccountsXXXX - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}-NewOrgAccountsXXXX You can disregard this finding, as these DynamoDB tables are managed by LZA to store environment specific information. All these tables have point-in-time recovery enabled which automate backups, and may be needed for troubleshooting in rare cases. Deleting them will not impact LZA, as they will be repopulated during next pipeline execution. Alternatively, you can choose to suppress the finding for these resources. |
| DynamoDB.6 | DynamoDB tables should have deletion protection enabled | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon DynamoDB tables with prefix {ACCELERATOR_PREFIX}: - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}AcceleratorConfigTableXXXXX - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}NewCTAccountsXXXX - {ACCELERATOR_PREFIX}-PrepareStack-{ACCOUNT_ID}-{REGION}-NewOrgAccountsXXXX You can disregard this finding, as these DynamoDB tables are managed by LZA to store environment specific information. Deleting them will not impact LZA, as they will be repopulated during next pipeline execution. Alternatively, you can choose to suppress the finding for these resources. |
| EC2.10 | Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon VPCs: - Network-Inspection - SharedServices-Main You can disregard this finding, as these VPCs are configured to utilize centralized endpoints. AWS Security Hub does not conduct cross-account checks for VPCs that are shared across accounts. Alternatively, you can choose to suppress the finding for these resources. |
| EC2.21 | Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389 | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes following Amazon VPCs with network ACLs: - Network-Endpoints - Network-Inspection - SharedServices-Main The LZA creates VPCs that is defined in the network-config.yaml file, and your VPCs automatically comes with a modifiable default network ACL that allows all inbound and outbound IPv4 traffic. You can implement additional NACL with specific rules by creating a custom network ACL and associate it with a subnet to allow or deny specific inbound or outbound traffic to address this finding. To create custom Network ACLs with defined inbound and outbound rule, you can use add the following networkACL example in the VPCs defined in network-config.yaml configuration file: networkAcls: - name: accelerator-naclsubnetAssociations:- Subnet-AinboundRules- rule: 200protocol: 6fromPort: 22action: allowsource: <CIDR RANGE>outboundRules:- rule: 200protocol: 6fromPort: 1024toPort: 65535action: allowdestination: <CIDR RANGE> |
| EC2.23 | Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests | High | When using the Landing Zone Accelerator on AWS solution, this finding includes following AWS Transit Gateway named Network-Main. The LZA uses autoAcceptSharingAttachments: enable features to shared out transit gateway (via Resource Access Manager) with only accounts shared through shareTargets property in the AWS Organization. You can disregard this findings as the automatic acceptance of VPCs attachment request is only allowed for accounts present in the AWS Organization and defined in the shareTargets property of transit gateway. Alternatively, you can choose to suppress the finding for these resources. |
| ECR.1 | ECR private repositories should have image scanning configured | High | When using the Landing Zone Accelerator on AWS solution, this finding includes {cdk-accel}-container-assets-{ACCOUNT_ID}-{REGION} Amazon ECR. During bootstrapping process with AWS Cloud Development Kit (CDK), the Amazon Elastic Container Registry (ECR) repository is automatically created to store docker images used by AWS CDK. You can disregard this finding, as this repository is not used by LZA for storing assets. Alternatively, you can choose to suppress this finding for these resources. |
| ECR.3 | ECR repositories should have at least one lifecycle policy configured | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes {cdk-accel}-container-assets-{ACCOUNT_ID}-{REGION} Amazon ECR. During bootstrapping process with AWS Cloud Development Kit (CDK), the Amazon Elastic Container Registry (ECR) repository is automatically created to store docker images used by AWS CDK. You can disregard this finding, as this repository is not used by LZA for storing assets. Alternatively, you can choose to suppress this finding for these resources. |
| IAM.6 | Hardware MFA should be enabled for the root user | Critical | This finding is generated when your AWS account is not configured to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials. To add a hardware MFA device for the root user, see Enable a hardware MFA device for the AWS account root user (console) in the IAM User Guide |
| IAM.9 | MFA should be enabled for the root user | Critical | This finding is generated when your AWS account is not enabled to use a multi-factor authentication (MFA) device to sign in with root user credentials. To enable MFA for the root user, see Activate MFA on the AWS account root user in the AWS Account Management Reference Guide |
| IAM.18 | Ensure a support role has been created to manage incidents with AWS Support | Low | This finding is generated when support role is not created to manage incidents with AWS Support. To create the role for AWS Support access, you can use add it to the role in the iam-config.yaml configuration file, as shown in the provided example: roleSets:- deploymentTargets:organizationalUnits: - Rootroles: - name: <ENTER THE ROLE NAME> assumedBy: - type: account principal: <ENTER AWS ACCOUNT ID TO GRANT ACCESS> policies: awsManaged: - AWSSupportAccess |
| KMS.1 | IAM customer managed policies should not allow decryption actions on all KMS keys | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following AWS IAM customer managed policies with prefix {ACCELERATOR_PREFIX}: - {ACCELERATOR_PREFIX}-OperationsStack-{ACCOUNT_ID}-{REGION}-SsmSessionManagerSettingsSessionManagerPolicyXXXX - {ACCELERATOR_PREFIX}-SessionManagerLogging You can disregard this finding, as these IAM policies are managed by LZA to enable decryption operations on KMS keys. These policies have conditions that restrict their usage to the LZA generated alias of KMS keys, ensuring that the decryption actions are performed only within the specific account and region. Additionally, the usage of these policies is restricted to solution created resources and protected by service control policies in the member accounts. Alternatively, you can choose to suppress the finding for these resources. |
| KMS.2 | IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following AWS IAM principles with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}: - {ACCELERATOR_PREFIX}-InstallerS-UpdatePipelineLambdaRoleXXXX (UpdatePipelineLambdaPolicy284ABC36) - {cdk-accel}-file-publishing-role-211125696757-us-east-1 - {cdk-accel}-deploy-role-211125696757-us-east-1 You can disregard this finding related to AWS IAM principles with the prefix {ACCELERATOR_PREFIX}, as these roles with inline polices are managed by LZA to enable decryption operations on KMS keys. These policies are used by lambda functions created by the solution and performs decryption actions only within the specific account and region adhering to the principle of least privilege. For the roles related to the AWS Cloud Developmental Kit (CDK), enabling the useManagementAccessRole option in the global-config.yaml file modifies CDK operations to use the IAM role specified in the managementAccountAccessRole option rather than the default roles created by CDK. The default CDK roles will still be created but will be only used for initial cdk resources setup. This finding guidance is mentioned in the CDK documentation. Therefore, you can disregard those roles. Alternatively, you can choose to suppress the finding for these resources. |
| Lambda.3 | Lambda functions should be in a VPC | Low | When using the Landing Zone Accelerator on AWS solution, this finding includes AWS Lambda functions with the prefix {ACCELERATOR_PREFIX}. You can disregard this finding, as these functions are created and managed by the LZA for infrastructure deployment, and solely used for communicating with AWS services. Alternatively, you can choose to suppress the finding for these resources. |
| S3.6 | S3 general purpose bucket policies should restrict access to other AWS accounts | High | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}: - {ACCELERATOR_PREFIX}-central-logs-{ACCOUNT_ID}-{REGION} - {cdk-accel}-assets-{ACCOUNT_ID}-{REGION} You can disregard this finding, as these buckets are created and managed by the LZA and AWS Cloud Development Kit (CDK). {ACCELERATOR_PREFIX} bucket stores solution artifacts and environment logs, while {cdk-accel} bucket stores files during bootstrapping process with AWS CDK. These buckets contains resources policies with conditions that restrict their usage to only accounts in the organization with access to limited roles including {ACCELERATOR_PREFIX},{managementAccountAccessRole} and {cdk-accel}. Additionally, the usage of these roles are protected by service control policies in the members accounts. Alternatively, you can choose to suppress the finding for these resources. |
| S3.7 | S3 general purpose buckets should use cross-Region replication | Low | When using the Landing Zone Accelerator on AWS solution, this finding includes Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}. You can disregard this finding, as {ACCELERATOR_PREFIX} bucket is created and managed by the LZA to store solution artifacts and environment logs. These buckets have versioning which keeps multiple variants of an object in the same s3 buckets to preserve, retrieve, and restore earlier versions of an object. For the bucket related to {cdk-accel}, this bucket is automatically created for storing files during the bootstrapping process with AWS Cloud Development Kit (CDK). You can disregard this finding, as this bucket stores and manages assets, templates, and metadata related to your CDK deployments. Alternatively, you can choose to suppress this finding for these resources. |
| S3.9 | S3 general purpose buckets should have server access logging enabled | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel} : - {ACCELERATOR_PREFIX}-s3-access-logs-{ACCOUNT_ID}-{REGION} - {ACCELERATOR_PREFIX}-s3-logs-{ACCOUNT_ID}-{REGION} - {ACCELERATOR_PREFIX}-elb-access-logs-{ACCOUNT_ID}-{REGION}- {cdk-accel}-assets-{ACCOUNT_ID}-{REGION}.You can disregard this finding for s3-access-logs, s3-logs and elb-access-logs buckets with prefix , {ACCELERATOR_PREFIX} as these are target logging buckets and do not require server access logging enabled. For the buckets related to {cdk-accel}, this bucket is automatically created for storing files during the bootstrapping process with AWS Cloud Development Kit (CDK). You can disregard this finding, as this bucket stores and manages assets, templates, and metadata related to your CDK deployments. Alternatively, you can choose to suppress the finding for these resources. |
| S3.11 | S3 general purpose buckets should have event notifications enabled | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes all Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}. You can disregard this finding, as these buckets are created and managed by the LZA and AWS Cloud Development Kit (CDK) to store solution artifacts and environment logs. These buckets have versioning which keeps multiple variants of an object in the same s3 buckets to preserve, retrieve, and restore earlier versions of an object. Alternatively, you can choose to suppress the finding for these resources. |
| S3.15 | S3 general purpose buckets should have Object Lock enabled | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}. You cannot enable object lockfor destination buckets {ACCELERATOR_PREFIX}-s3-access-logs-{ACCOUNT-ID}-{REGION}, {ACCELERATOR_PREFIX}-s3-logs-{ACCOUNT-ID}-{REGION}, {ACCELERATOR_PREFIX}-elb-access-logs-{ACCOUNT-ID}-{REGION}, used for server access logs. You can disregard this finding for remaining buckets, as these buckets are created and managed by the LZA and AWS Cloud Development Kit (CDK) to store solution artifacts and environment logs. These buckets have versioning which keeps multiple variants of an object in the same s3 buckets to preserve, retrieve, and restore earlier versions of an object. Alternatively, you can choose to suppress the finding for these resources. |
| S3.17 | S3 general purpose buckets should be encrypted at rest with AWS KMS keys | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following Amazon S3 buckets: - {ACCELERATOR_PREFIX}-assets-logs-{ACCOUNT_ID}-{REGION} - {ACCELERATOR_PREFIX}-s3-access-logs-{ACCOUNT_ID}-{REGION} - {ACCELERATOR_PREFIX}-cur-{ACCOUNT_ID}-{REGION} - {ACCELERATOR_PREFIX}-s3-logs-{ACCOUNT_ID}-{REGION} You can disregard this finding, as these buckets are created and managed by the LZA to store solution artifacts and environment logs, and enabled server side encryption with Amazon S3 managed keys (SSE-S3). Additionally, default server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS) is not supported for server access logging buckets. Alternatively, you can choose to suppress the finding for these resources. |
| S3.20 | S3 general purpose buckets should have MFA delete enabled | Low | When using the Landing Zone Accelerator on AWS solution, this finding includes the all Amazon S3 buckets with prefixes {ACCELERATOR_PREFIX} and {cdk-accel}. You can disregard this finding, as these buckets are created and managed by the LZA and AWS Cloud Development Kit (CDK) to store solution artifacts and environment logs. These buckets have Lifecycle configurations setup , and you cannot use MFA delete for buckets with lifecycle configurations. Alternatively, you can choose to suppress the finding for these resources. |
| StepFunctions.1 | Step Functions state machines should have logging turned on | Medium | When using the Landing Zone Accelerator on AWS solution, this finding includes the following AWS Step Functions: - CreateCTAccountsXXXX - CreateOrganizationAccountsXXXX You can disregard this finding, as these step functions are created and managed by the LZA to execute Lambda functions for account creation. These Lambda functions associated with Step Functions have enabled cloudwatch logs for monitoring and logging purposes. Alternatively, you can choose to suppress the finding for these resources. |