AWS Security Hub is a service that gives organizations a view into their own security and compliance posture across multiple Amazon cloud accounts. In an effort to continue securing AWS resources and secure overall configurations, people need access to meaningful data so we can make informed decisions.
As an AWS customer, I was looking for a solution where put simply I could build an analytics pipeline of our Security Hub findings. Then summarize the data with Amazon Athena, and finally visualize the data using QuickSight. Using QuickSight, I was also looking for an easy way to provide some short, but meaningful summaries or trends around top severities with the highest counts for example. I think it's also important to remember, the visualizations or Dashboards you create should be prescriptive toward the person(s) or teams(s) they are intended for. More to the point I made above, with a data pipeline established between AWS Security Hub and Quicksight, organizations can quickly create dashboards that help capture trends, which allows teams to detect, analyze, contain, and eradicate problems and issues quickly.
After some research and reading, I stumbled upon an AWS Security blog article, which was exactly what I was looking for.
Following the high-level architecture above, from left to right, we see the following flow.
Detect-Using two built-in security standards of Security Hub — CIS AWS foundations Benchmark controls and AWS Foundational Security Best Practices Standard, and a serverless Prowler scanner.
Collect-Regional Security findings pulled into a central account using AWS Security Hub.
Aggregate-The cross-Region aggregation feature within Security Hub allows the findings within each administrator account to be aggregated and continuously synchronized across multiple regions.
Ingest-AWS Security Hub provides visibility into various insights and findings across multiple AWS accounts, but remember it also offers integrations to accept findings from other AWS services or third-party tools. In the other direction, through integrations, you may want to send findings out of Security Hub and into other places such as ticketing systems, real-time alerting/notifications, or other workflows which are in place to help teams prioritize, and remediate security incidents quickly.
Transform-Often times we see data that isn't in a state or format that another service or tool can consume. In this case, the AWS Security Hub Data, which comes from EventBridge, needs to be formatted before it can be consumed by Athena. Using a few different AWS services (Kinesis Data firehose, S3, Lambda, Glue) we have AWS Security Hub data, stored in an Athena table we can use.
Analyze-Using an Athena view, we can aggregate the number of AWS Security Hub findings for a period of time. Back to a prior point, remember now that we have built the pipeline to detect, ingest and transform our security findings, the views can be tailored or further enhanced using other data sources, outside of simply using the AWS Security Hub data.
Visualize-For me, being a very visual person, building the Quicksight visualizations really was the most rewarding part. After all, you can accumulate lots of data, in this case, it's security-related. This positions and enables organizations and teams to make more data-driven decisions based on dashboards that focus on metrics or other key data points such as the security find severity, and over a period of time. Quicksight also allows you to schedule data refreshes, and publish a dashboard that can be easily shared with leaders or other teams. The published and shared dashboards can be prescriptive, focused on providing the greatest value to the customer(s), leader(s), or team(s) unique needs.