AWS recently changed its underlying alert creation in Security Hub. If you enabled more than one control, you’re likely getting repeats of the same alert from the different controls. With AWS’s new feature, you’ll receive one standard alert—even if it violates multiple controls.
This new feature introduces a single control ID across all standards. For example, before the new feature you would get three different alerts:
- The CIS standard will report “CIS 2.5”
- The PCI will report “PCI.Config.1”
- The AWS FSBP will report “Config.1”
And if you enable de-duplication, all standards will report a single consolidated finding of “Config.1”
De-duplication isn’t automatically enabled for existing implementations, and you’ll want to consider a few things before turning on the new feature. However, any new implementations will already have it enabled by default.
Here are a few things to watch out for before enabling de-duplication:
- If you have an existing implementation and use any automation—either custom through CloudWatch or Automated Security Response— you’ll need to change your rules to reflect the new finding
sID. - Automated Security Response doesn’t currently support the new finding IDs. Wait until it updates.
- If you’re integrating into an SIEM, check with your SIEM team to ensure it supports the new finding IDs.
A few other things to note:
- If you’re running Security Hub (centralized in an organization), you’ll update it in the centralized account. It will roll out to existing accounts automatically.
- Creating a new account in an organization with an existing account? It will be configured the same as the master account.
AWS’s new de-duplication feature can help if you’re struggling with the number of alerts in Security Hub by reducing them and streamlining updates.