AWS Security Hub
You can configure your Check Point Security Management Servers to send Threat Prevention events to the AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. Security Hub.
The AWS Security Hub service gives you a comprehensive view of your security alerts and security posture across your AWS accounts.
For more information, see the AWS Security Hub documentation.
Prerequisites
-
This feature is for Check Point Security Management Server
Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. version R80.30 with Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. 226 and higher. -
CME installed on the Security Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. with support for AWS Security Hub, see sk157492. -
Supports only the Security Management Server (or Security Management Server High Availability) with Log Server
Dedicated Check Point server that runs Check Point software to store and process logs.. There is no support for Multi-Domain Security Management Servers or for a dedicated Log Server.
|
|
Note - To use the AWS Security Hub APIs, the Security Management Server must have outbound internet connectivity. |
Subscribing to the Check Point CloudGuard Network in AWS Security Hub
Step 1: Configure the Integration
-
Enable Security Hub service in your AWS account and region.
-
Click Integrations.
-
Search for:
"check point" -
Select "Check Point CloudGuard Network".
-
Click Accept findings.
Step 2: Configure the IAM Roles
For Check Point Security Management Server to send security logs to the AWS Security Hub service, it is necessary to attach the appropriate permissions to the IAM role attached to the instance profile, or the IAM role of the user credentials.
-
For Security Management Server in AWS - If you want to use the IAM role profile of the management as credentials:
In the IAM policy of the IAM role attached to the Security Management Server, add a statement to allow action
securityhub:BatchImportFindingsto any resource. -
For On-Premises Security Management Server - Use the user's Access&Secret key as credentials:
In the user's IAM policy, add a statement to allow action
securityhub:BatchImportFindingsto any resource.
Configuring the Check Point Security Management Server to Send Events to the AWS Security Hub
Use these steps to configure the Check Point Security Management Server to send findings to your AWS Security Hub account.
Procedure
-
Install the latest CME version. See Installing and Updating CME.
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Launch the CME menu:
cme_menu -
Select the Security Hub section:
-
From the CME menu main page, select AWS.
-
From the AWS Configuration tab, select Security Hub.
-
-
Configure the Security Hub feature:
-
Select Configure Security Hub.
-
Enter the requested parameters:
Parameter
Example Value
Description
account-id123456789123
A 12-digit number that uniquely identifies your AWS account.
credentialsIAM
One of these:
-
IAM - to use the IAM role profile.
-
Path to a text file that contains the AWS credentials in this format:
AWSAccessKeyId=<AWS-ACCESS-KEY>AWSSecretKey=<AWS-SECRET-KEY>
regioneu-west-1
The region name to which you want to send security hub findings.
-
-
Optional: Decide if to enable this feature immediately.
-
Enabling Security Hub on the Security Management Server
You can activate the Security Hub feature only after the configuration is complete.
Procedure
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Launch the CME menu:
cme_menu -
Select the Security Hub section:
-
On the CME menu home page, select AWS.
-
In the AWS Configuration tab, select Security Hub.
-
-
Activate the Security Hub > select Enable Security Hub.
After the Security Hub is configured and enabled on the Security Management Server, it is possible to make sure that the status shows "Security Hub Service is currently enabled and sending logs to AWS". See Displaying the Security Hub Integration Status.
Disabling Security Hub on the Security Management Server
If you disable the feature, it stops the Security Management Server from sending logs to AWS Security Hub service.
Procedure
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Launch the CME menu:
cme_menu -
Select the Security Hub section:
-
On the CME menu home page, select AWS.
-
In the AWS Configuration tab, select Security Hub.
-
-
Disable Security Hub > select Disable Security Hub.
Displaying the Security Hub Integration Status
You can see the status of Security Hub integration on the Security Management Server.
Procedure
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Launch the CME menu:
cme_menu -
Select the Security Hub section:
-
On the CME menu home page, select AWS.
-
In the AWS Configuration tab, select Security Hub.
-
-
To display the Security Hub Status, select Security Hub Status.
Configuring Debug Mode
When Debug mode is activated, detailed logs of the Security Hub internal state are generated and saved to a file.
|
|
Note - The Debug mode is disabled by default. |
Procedure
-
Connect to the command line on the Security Management Server.
-
Log in to the Expert mode.
-
Launch the CME menu:
cme_menu -
Select the Security Hub section:
-
On the CME menu home page, select AWS.
-
In the AWS Configuration tab, select Security Hub.
-
-
Select Configure Security Hub Debug Mode.
-
To activate debug mode, select Enable Security Hub debug mode.
-
To stop debug mode, select Disable Security Hub debug mode.
-
Additional Information about CloudGuard Network in Security Hub
Only logs from these Software Blades and features are sent to AWS Security Hub:
-
MTA
For more information about Finding, select the Finding ID and see ProductFields.
|
|
Notes:
|
Accessing Security Hub Logs for Troubleshooting
These are the log files on the Management Server:
|
/var/log/CPcme/cme_log_reporter.log* |
Log Exporter
As part of the configuration to send security events, the Log Exporter feature is used.
A new Log Exporter instance is added and monitored by the cpwd with the name: EXPORTER.CME_LOG_REPORTER
For more information about the Log Exporter, see sk122323.
Limitations
-
Multi-Domain Security Management Servers or dedicated Log Servers are not supported.
-
Only Active states are reported.
-
The feature does not work with manual modifications. Use the "
cme_menu" command for all modifications. -
AWS limitations:
-
The maximum allowed size for a Finding is 240 kilobytes.
A Finding larger than 240 kilobytes is dropped.
-
The Findings are uploaded to AWS in bulks.
A bulk is up to 100 Findings.
-
AWS limits the ProductFields to 50 elements only.
To view the full log, use SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
-
-
For CME limitations, see sk157492.
-
For Log Exporter limitations, see sk122323.