HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - Security Hub Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Security Hub

Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.

It centralizes security related alerts across accounts, and provides a UI for viewing these. The biggest limitation is it does not centralize alerts across regions, only across accounts

Characteristics

  • Regional (findings don't cross regions)

  • Multi-account support

  • Findings from:

    • Guard Duty

    • Config

    • Inspector

    • Macie

    • third party

    • self-generated against CIS standards

Enumeration

# Get basic info
aws securityhub describe-hub

# Get securityhub org config
aws securityhub describe-organization-configuration #If the current account isn't the security hub admin, you will get an error

# Get the configured admin for securityhub
aws securityhub get-administrator-account
aws securityhub get-master-account # Another way
aws securityhub list-organization-admin-accounts # Another way

# Get enabled standards
aws securityhub get-enabled-standards

# Get the findings
aws securityhub get-findings

# Get insights
aws securityhub get-insights

# Get Automation rules (must be from the admin account)
aws securityhub list-automation-rules

# Get members (must be from the admin account)
aws securityhub list-members
aws securityhub get-members --account-ids <acc-id>

Bypass Detection

TODO, PRs accepted

References

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - Macie EnumNextAWS - Shield Enum

Last updated