Security Cloud Courses About

Enriching AWS Security Hub Findings

Tweet 1/6 ๐Ÿ‘‡ Next tweet

recently, @awscloud published a really interesting post on the @awsecurityinfo blog. the post details an extremely useful pattern for enriching AWS Security Hub findings

check it out at

some thoughts in the ๐Ÿงต below ๐Ÿ‘‡

Tweet 2/6 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@awscloud all of AWS Security Hub findings follow the ASFF or AWS Security Finding Format,

I’m a bit biased because I was involved in it’s early stages but it’s a sold key:value structure for reporting #security issues


Tweet 3/6 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@awscloud the information in the Finding is about the finding (duh) but there can be a number of @awscloud resources referenced. these resources have their own attributes that might be critical to the prioritization and investigation of the finding


Tweet 4/6 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@awscloud the backend won't add all of these data points because you're adding a number of API calls for every Finding issue and it might not be worth it performance or cost wise

the pattern in the blog post helps add that data to enrich the Finding


Tweet 5/6 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@awscloud I think the next step for this pattern would be to add filters for specific Finding types.

if I see Finding type X, query A, B, C, and add that data to the finding

this would help tune the pattern to your specific needs and trade offs


Tweet 6/6 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@awscloud overall, this is a great solution to implement in your environment. it's low cost, highly scalable, and doesn't add a lot of operational overhead