Tracking your security posture in AWS
How are you tracking your compliance scores when you run in the cloud? Would you like to have the insights on the compliance scores of a specific workload? Or even better provide the insights to the product owner of the workload? By giving the insight you enable the product owners to own the compliance scores. I recently created a small project that you can use to do just that!
<insert reason here>
". Having the historical insight will actually tell you if this is true or not.
This requires an AWS Account per environment and you need a naming schema. For example:xebia-my-workload-development
.
- Use the filter to retrieve all findings, we are fetching 100 findings per invocation.
- When there is a NextToken we need to collect the rest of the findings.
- When we have 100 files, containing each 100 findings. We will add them into a single file containing 10K findings. We are repeating this until we have all the findings.
- Split the findings per AWS Account ID.
- In parallel, calculate the score based on the findings.
- Publish the results to CloudWatch metrics. The metric will have the workload name and environment as dimensions.
- The security standards from AWS Security Hub.
- Conformance packs deployed in the organization.
- List of custom AWS Config rules.
- Historical insight in yous security posture.
- Compliance scores of your conformance pack.
- Dashboards with the scores of all environments of a workload.