After running the script I was find a lot of Critical findings in status "Warning".
Attempting to view the rule related to the finding in the console took me to an empty rule definition page and/or errors in Config. Further investigation shows the rules don't even exist in Config.
I suspect this is because the script does not wait for Config to be enabled before enabling Security Hub. So SH thinks it has created the rule for the finding but the rule does not exist.
The only way to fix this is to disable/enable the standards.
eg :
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
"securityhub-cloud-trail-encryption-enabled-b61f8eaf",
"securityhub-codebuild-project-source-repo-url-check-bc429527",
"securityhub-dms-replication-not-public-fd0e6f54",
"securityhub-efs-encrypted-check-e5244c06",
"securityhub-vpc-default-security-group-closed-2a891050",
"securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
"StandardsSubscriptions": [
{
"StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
"StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsInput": {},
"StandardsStatus": "READY"
}
]
}
MaAl00350:~ max $ aws securityhub batch-disable-standards --standards-subscription-arns "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0"
{
"StandardsSubscriptions": [
{
"StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
"StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsInput": {},
"StandardsStatus": "DELETING"
}
]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
"StandardsSubscriptions": []
}
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
"securityhub-vpc-default-security-group-closed-2a891050",
"securityhub-vpc-flow-logs-enabled-3042d788"
]
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[]
Finally all the rules are gone. Re-enable the standard :
MaAl00350:~ max $ aws securityhub batch-enable-standards --standards-subscription-requests '{"StandardsArn":"arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0"}'
{
"StandardsSubscriptions": [
{
"StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
"StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsInput": {},
"StandardsStatus": "PENDING"
}
]
}
MaAl00350:~ max $ aws securityhub get-enabled-standards
{
"StandardsSubscriptions": [
{
"StandardsSubscriptionArn": "arn:aws:securityhub:eu-west-1:034563818582:subscription/aws-foundational-security-best-practices/v/1.0.0",
"StandardsArn": "arn:aws:securityhub:eu-west-1::standards/aws-foundational-security-best-practices/v/1.0.0",
"StandardsInput": {},
"StandardsStatus": "READY"
}
]
}
MaAl00350:~ max $ aws configservice describe-config-rules --query ConfigRules[].ConfigRuleName
[
"securityhub-access-keys-rotated-4338bdd1",
"securityhub-acm-certificate-expiration-check-a9c4abea",
"securityhub-alb-http-to-https-redirection-check-48339d98",
"securityhub-autoscaling-group-elb-healthcheck-required-a8d0729f",
"securityhub-cloud-trail-encryption-enabled-348ac493",
"securityhub-codebuild-project-envvar-awscred-check-bd1bccda",
"securityhub-codebuild-project-source-repo-url-check-55df4d3f",
"securityhub-dms-replication-not-public-9aba3179",
"securityhub-ebs-snapshot-public-restorable-check-6169ceb8",
"securityhub-ec2-instance-managed-by-ssm-599c6972",
"securityhub-ec2-managedinstance-association-compliance-status-check-b69a86ef",
"securityhub-ec2-managedinstance-patch-compliance-00bf694d",
"securityhub-ec2-stopped-instance-38153549",
"securityhub-efs-encrypted-check-82f1aaa9",
"securityhub-elasticsearch-encrypted-at-rest-58658303",
"securityhub-encrypted-volumes-fc3a8ba4",
"securityhub-guardduty-enabled-centralized-b514c146",
"securityhub-iam-password-policy-recommended-defaults-64365480",
"securityhub-iam-policy-no-statements-with-admin-access-bce4701f",
"securityhub-iam-root-access-key-check-a7c95be2",
"securityhub-iam-user-no-policies-check-34076ae3",
"securityhub-lambda-function-public-access-prohibited-ad1f8609",
"securityhub-lambda-function-settings-check-a569e4c9",
"securityhub-mfa-enabled-for-iam-console-access-e80a849c",
"securityhub-multi-region-cloud-trail-enabled-049fa6e6",
"securityhub-rds-instance-public-access-check-1c0f0f3e",
"securityhub-rds-snapshots-public-prohibited-6c85734e",
"securityhub-rds-storage-encrypted-ccdb6b6e",
"securityhub-root-account-hardware-mfa-enabled-7751db16",
"securityhub-s3-account-level-public-access-blocks-c9fe23a1",
"securityhub-s3-bucket-public-read-prohibited-66251a8f",
"securityhub-s3-bucket-public-write-prohibited-71d10c81",
"securityhub-s3-bucket-server-side-encryption-enabled-93f8c50f",
"securityhub-s3-bucket-ssl-requests-only-0feab26a",
"securityhub-sagemaker-notebook-no-direct-internet-access-21638603",
"securityhub-vpc-default-security-group-closed-10798b7d",
"securityhub-vpc-flow-logs-enabled-ff14d6e9"
]
If you don't do this, some of your findings will be forever in the broken state and you will never get a pass/fail.
I think the script needs to handle enabling config better by waiting for it.