Visualizing A Lot of AWS Security Hub Findings
AWS Security Hub is a simple way to collect all of your security data within your AWS Cloud environment.
There are some challenges associated with the service. Namely, getting a handle on a lot of findings from a number of different regions and accounts.
Recently, David Hessler at AWS posted a solution over the AWS Security Blog. My thoughts on that solution in a way-to-big Twitter thread π
https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/
π a thread with my thoughts…
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:06
Tweet 2/15 π Next tweet π Start
QuickSight has been one of my favourite AWS services since it’s launch. it’s super easy to use and produces some fantastic visuals you can share w/the team
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 3/15 π Next tweet π Start
like any data, Security Hub findings stay in the region where they were generated
that’s good but you (obviously) want a centralized view
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 4/15 π Next tweet π Start
more on that at https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 5/15 π Next tweet π Start
cross-Region finding aggregation π is then used in that account to get a view of all of the organization’s Security Hub findings in one place
phew…
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 6/15 π Next tweet π Start
the “eventually” bit is where the solution is a bit frustrating for me
Security Hub outputs to EventBridge (awesome) …
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 7/15 π Next tweet π Start
yikes
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 8/15 π Next tweet π Start
the choices in this solution make sense, it’s just frustration that it’s this complex
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 9/15 π Next tweet π Start
when I see challenges like this, I often ask, “What else could I use here?”
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 10/15 π Next tweet π Start
…but that’s even more complicated!
…maybe EventBridge => Lambda => S3?
that’s cleaner but could have throttling issues at scale π€¦
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 11/15 π Next tweet π Start
pricing is up at https://aws.amazon.com/kinesis/data-firehose/pricing/
but I figure it would be about $5.25 per million Findings
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 12/15 π Next tweet π Start
that same million Findings is goign to clock in around $2.60 …and you would save on the AWS Glue charges because you could normalize from Lambda
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 13/15 π Next tweet π Start
it’s an open format, with details up at https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
I really like it, but I’m biased as I was involved in the early days
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 14/15 π Next tweet π Start
the shared dashboards are extrememly useful here: https://docs.aws.amazon.com/quicksight/latest/user/sharing-a-dashboard.html
π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07
Tweet 15/15 π Next tweet π Start
be sure to check out the full post at https://aws.amazon.com/blogs/security/how-to-build-a-multi-region-aws-security-hub-analytic-pipeline/
…and let me know what you think of this solution in the replies π
/π§΅ #cloud #security
@marknca tweeted at 07-Feb-2022, 23:07