Archive 2 min read

Enriching AWS Security Hub Findings

AWS Security Hub Findings are great, but they can be better. Here's a simple pattern from the AWS team to enrich those findings automatically.

Enriching AWS Security Hub Findings

Tweet 1/6 馃憞 Next tweet

recently, @awscloud published a really interesting post on the @awsecurityinfo blog. the post details an extremely useful pattern for enriching AWS Security Hub findings check it out at some thoughts in the 馃У below 馃憞

Tweet 2/6 馃憞 Next tweet 馃憜 Start

@awscloud all of AWS Security Hub findings follow the ASFF or AWS Security Finding Format, I'm a bit biased because I was involved in it's early stages but it's a sold key:value structure for reporting #security issues 馃У

Tweet 3/6 馃憞 Next tweet 馃憜 Start

@awscloud the information in the Finding is about the finding (duh) but there can be a number of @awscloud resources referenced. these resources have their own attributes that might be critical to the prioritization and investigation of the finding 馃У

Tweet 4/6 馃憞 Next tweet 馃憜 Start

@awscloud the backend won't add all of these data points because you're adding a number of API calls for every Finding issue and it might not be worth it performance or cost wise the pattern in the blog post helps add that data to enrich the Finding 馃У

Tweet 5/6 馃憞 Next tweet 馃憜 Start

@awscloud I think the next step for this pattern would be to add filters for specific Finding types. if I see Finding type X, query A, B, C, and add that data to the finding this would help tune the pattern to your specific needs and trade offs 馃У

Tweet 6/6 馃憞 Next tweet 馃憜 Start

@awscloud overall, this is a great solution to implement in your environment. it's low cost, highly scalable, and doesn't add a lot of operational overhead /馃У

Read next