Archive ยท ยท 4 min read

Visualizing A Lot of AWS Security Hub Findings

Once you've aggregated all of your AWS Security Hub Findings, here's one way to visualize and analyze them.

Visualizing A Lot of AWS Security Hub Findings

AWS Security Hub is a simple way to collect all of your security data within your AWS Cloud environment.

There are some challenges associated with the service. Namely, getting a handle on a lot of findings from a number of different regions and accounts.

Recently, David Hessler at AWS posted a solution over the AWS Security Blog. My thoughts on that solution in a way-to-big Twitter thread ๐Ÿ‘‡

Tweet 1/15 ๐Ÿ‘‡ Next tweet

over on the @awssecurityinfo blog, @davidhessler dropped a great post, "How to build a multi-Region AWS Security Hub analytic pipeline and visualize Security Hub data" ๐Ÿ‘‡ a thread with my thoughts... ๐Ÿงต #cloud #security

Tweet 2/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler first of all, this solution uses Amazon Quicksight to visualize @awscloud Security Hub findings. QuickSight has been one of my favourite AWS services since it's launch. it's super easy to use and produces some fantastic visuals you can share w/the team ๐Ÿงต #cloud #security

Tweet 3/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this solution tackles one of the top challenges with @awscloud Seurity services: data distribution across the regions like any data, Security Hub findings stay in the region where they were generated that's good but you (obviously) want a centralized view ๐Ÿงต #cloud #security

Tweet 4/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub offers a solution to this: cross-Region finding aggregation more on that at ๐Ÿงต #cloud #security

Tweet 5/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud in larger orgs, sub accounts send their Security Hub findings to a single administrator account cross-Region finding aggregation ๐Ÿ‘† is then used in _that_ account to get a view of all of the organization's Security Hub findings in one place phew... ๐Ÿงต #cloud #security

Tweet 6/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud with all of the data in one place, this solution uses Amazon Athena (eventually) to slice and dice the data for QuickSight the "eventually" bit is where the solution is a bit frustrating for me Security Hub outputs to EventBridge (awesome) ... ๐Ÿงต #cloud #security

Tweet 7/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud from there, this solution uses Kinesis Firehose to an Amazon S3 bucket to a Lambda function to another Bucket and somehow loops in AWS Glue to get everything into the location and format to make life easier to Athena (the querying engine) yikes ๐Ÿงต #cloud #security

Tweet 8/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this is an ongoing theme with the @awscloud. it's taking more and more services to actually solve the problem at hand the choices in this solution make sense, it's just frustration that it's this complex ๐Ÿงต #cloud #security

Tweet 9/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud Security Hub => EventBridge โœ… EventBridge => Kinesis Data Firehose โ“ Kinesis Data Firehose => Amazon S3 โ“ AWS Glue => Amazon S3 => Amazon Athena โœ… when I see challenges like this, I often ask, "What else could I use here?" ๐Ÿงต #cloud #security

Tweet 10/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud in this case, you could use EventBridge => SQS => Lambda => S3 ...but that's even more complicated! ...maybe EventBridge => Lambda => S3? that's cleaner but could have throttling issues at scale ๐Ÿคฆ ๐Ÿงต #cloud #security

Tweet 11/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud what about price? turns out that Firehose is reasonable for this use case pricing is up at but I figure it would be about $5.25 per million Findings ๐Ÿงต #cloud #security

Tweet 12/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud ...but the complexity of SQS => Lambda might be worth it AT SCALE that same million Findings is goign to clock in around $2.60 ...and you would save on the AWS Glue charges because you could normalize from Lambda ๐Ÿงต #cloud #security

Tweet 13/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud sidenote: if you're wondering what a Finding is, it's the data format (ASFF) used by AWS security services tools it's an open format, with details up at I really like it, but I'm biased as I was involved in the early days ๐Ÿงต #cloud #security

Tweet 14/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud regardless of how you get the data ready for visualization, QuickSight is a very cool tool to pull this off. the shared dashboards are extrememly useful here: ๐Ÿงต #cloud #security

Tweet 15/15 ๐Ÿ‘‡ Next tweet ๐Ÿ‘† Start

@AWSSecurityInfo @davidhessler @awscloud this went on way longer than anticipated! be sure to check out the full post at ...and let me know what you think of this solution in the replies ๐Ÿ‘‡ /๐Ÿงต #cloud #security

Read next