AWS Security Hub disabled
Description
AlphaSOC detected the use of the DisableSecurityHub action, which disables AWS
Security Hub in the current AWS Region and, after 90 days, deletes existing
findings and insights, and any configuration settings. Threat actors may
leverage this action to reduce visibility into security monitoring, potentially
to conceal their malicious activity within the AWS environment.
Impact
Disabling AWS Security Hub reduces an organization's ability to detect, investigate, and respond to security threats across the AWS infrastructure. This could allow adversaries to avoid detection and maintain prolonged access to the compromised environment.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Security Hub disabled |
Investigation and Remediation
Review AWS CloudTrail logs to identify the user or role that executed the
DisableSecurityHub action. Verify whether this action was authorized. If
unauthorized,
reenable AWS Security Hub,
rotate any potentially affected credentials, and conduct a thorough security
assessment of the AWS environment for signs of a compromise.