With AWS Security Hub, you can enable checks for standard best practices such as the following:
AWS Foundational Security Best Practices
CIS AWS Foundations Benchmark
Payment Card Industry Data Security Standard (PCI DSS)
Each of these standards has predefined controls. Security Hub checks for the control in a given AWS account and reports the findings.
AWS Security Hub sends all findings to Amazon EventBridge by default. This pattern provides a security control that deploys an EventBridge rule to identify AWS Foundational Security Best Practices standard findings. The rule identifies the following findings for automatic scaling, virtual private clouds (VPCs), Amazon Elastic Block Store (Amazon EBS), and Amazon Relational Database Service (Amazon RDS) from the AWS Foundational Security Best Practices standard:
[AutoScaling.1] Auto Scaling groups associated with a load balancer should use load balancer health checks
[EC2.2] The VPC default security group should not allow inbound and outbound traffic
[EC2.6] VPC flow logging should be enabled in all VPCs
[EC2.7] EBS default encryption should be enabled
[RDS.1] RDS snapshots should be private
[RDS.6] Enhanced monitoring should be configured for RDS DB instances and clusters
[RDS.7] RDS clusters should have deletion protection enabled
The EventBridge rule forwards these findings to an AWS Lambda function, which remediates the finding. The Lambda function then sends a notification with remediation information to an Amazon Simple Notification Service (Amazon SNS) topic.
