recently, @awscloud published a really interesting post on the @awsecurityinfo blog. the post details an extremely useful pattern for enriching AWS Security Hub findings
check it out at https://aws.amazon.com/blogs/security/how-to-enrich-aws-security-hub-findings-with-account-metadata/
some thoughts in the 馃У below 馃憞
@marknca tweeted at 24-Jan-2022, 15:40
Tweet 2/6 馃憞 Next tweet 馃憜 Start
@awscloud all of AWS Security Hub findings follow the ASFF or AWS Security Finding Format, https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
I'm a bit biased because I was involved in it's early stages but it's a sold key:value structure for reporting #security issues
馃У
@marknca tweeted at 24-Jan-2022, 15:40
Tweet 3/6 馃憞 Next tweet 馃憜 Start
@awscloud the information in the Finding is about the finding (duh) but there can be a number of @awscloud resources referenced. these resources have their own attributes that might be critical to the prioritization and investigation of the finding
馃У
@marknca tweeted at 24-Jan-2022, 15:41
Tweet 4/6 馃憞 Next tweet 馃憜 Start
@awscloud the backend won't add all of these data points because you're adding a number of API calls for every Finding issue and it might not be worth it performance or cost wise
the pattern in the blog post helps add that data to enrich the Finding
馃У
@marknca tweeted at 24-Jan-2022, 15:41
Tweet 5/6 馃憞 Next tweet 馃憜 Start
@awscloud I think the next step for this pattern would be to add filters for specific Finding types.
if I see Finding type X, query A, B, C, and add that data to the finding
this would help tune the pattern to your specific needs and trade offs
馃У
@marknca tweeted at 24-Jan-2022, 15:41
Tweet 6/6 馃憞 Next tweet 馃憜 Start
@awscloud overall, this is a great solution to implement in your environment. it's low cost, highly scalable, and doesn't add a lot of operational overhead
/馃У
@marknca tweeted at 24-Jan-2022, 15:41
