AWS Security Hub - AWS GovCloud (US)

AWS Security Hub

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your environment against security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.

How Security Hub Differs for AWS GovCloud (US)

Integrations

Standards and Controls

  • For the CIS AWS Foundations Standard, the following controls are not supported in the AWS GovCloud (US) Region.

    • 1.13 - Ensure MFA is enabled for the "root" account

    • 1.14 - Ensure hardware MFA is enabled for the "root" account

  • For the Payment Card Industry Data Security Standard (PCI DSS), the following controls are not supported in the AWS GovCloud (US) Region.

    • [PCI.CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

    • [PCI.CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

    • [PCI.IAM.4] Hardware MFA should be enabled for the root user

    • [PCI.IAM.5] Virtual MFA should be enabled for the root user

    • The following controls are not supported in the AWS GovCloud (US-East) Region.

      • [PCI.GuardDuty.1] GuardDuty should be enabled

      • [PCI.SageMaker.1] SageMaker notebook instances should not have direct internet access

  • For the AWS Foundational Security Best Practices standard, the following controls are not supported in the AWS GovCloud (US) Region.

    • [IAM.6] Hardware MFA should be enabled for the root user

    • [CodeBuild.1] CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

    • [CodeBuild.2] CodeBuild project environment variables should not contain clear text credentials

    • The following controls are not supported in the AWS GovCloud (US-East) Region.

      • [GuardDuty.1] GuardDuty should be enabled

      • [SageMaker.1] Amazon SageMaker notebook instances should not have direct internet access

Documentation for Security Hub

AWS Security Hub documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • All input text and documents processed by AWS Security Hub can contain ITAR-regulated data.

  • This service can generate metadata from customer-defined configurations. This metadata includes all configuration data in console fields, descriptions, resource names, and tagging information. AWS suggests customers do not enter export-controlled information in those fields.