Tracking your security posture in AWS

Tracking your security posture in AWS

How are you tracking your compliance scores when you run in the cloud? Would you like to have the insights on the compliance scores of a specific workload? Or even better provide the insights to the product owner of the workload? By giving the insight you enable the product owners to own the compliance scores. I recently created a small project that you can use to do just that!

Published Mar 1, 2024
How do you track your security posture in AWS? You have services like Security Hub, but it will only show you the scores of a limited set of standards. This blog post will continue on the previous 2 blog post that I wrote:
In this blog we will look at how you can track your security posture in your organization.

AWS Security Hub

AWS Security Hub is the service for your cloud security posture management. And this works for smaller organizations and when you don’t have your own config rules. Security Hub will only show you the compliance scores of standards that AWS provides. Plus, it will not give you historical insight of the scores. This does not need to be a problem. Having historical insight can help a lot when you interact with the workload teams.
For example, a workload team could say: “Yesterday the score was fine, it’s only lower because of <insert reason here> ". Having the historical insight will actually tell you if this is true or not.

How about conformance packs?

In my previous blog I also wrote that conformance packs give you this insight. Yes this is true but there is a subtle difference between the scores in AWS Config and AWS Security Hub. In config the state is black and white, a resource is either compliant or non compliant. The calculated score is the percentage of compliant resources.
In AWS Security Hub when 1 resource is non compliant in the control, the control is non compliant. When 9 controls are compliant and you have one that is not. The score would be 90%, regardless of the amount of resources.
Security hub also allows you the ability to suppress the non compliant findings. This is useful where you have a resource that has a good reason to not adhere to a control. You can suppress the finding on the resource. These suppressed findings are excluded when the compliance score is being defined.

How do you calculate the score then?

If you have set up a landingzone you have an audit account. This account collects all config rule results. But also all security hub findings into a single account.
By querying the security hub for findings we can calculate the compliance score. You can create handy dashboards. These dashboards can display all scores of a workload across environments.
Screenshot of the CloudWatch Dashboard of your security posture
This requires an AWS Account per environment and you need a naming schema. For example: xebia-my-workload-development.
When you expose these dashboards to your teams. You will increase the visibility into the compliance scores. Visualized in a single place and easy to access. Giving the product owners the insights they need to plan the backlog. This will increase the adoption of built-in security responsibilities.

How does it work?

For the full implementation details I refer to the github repository. But in essence we will perform the following steps:
  1. Use the filter to retrieve all findings, we are fetching 100 findings per invocation.
  2. When there is a NextToken we need to collect the rest of the findings.
  3. When we have 100 files, containing each 100 findings. We will add them into a single file containing 10K findings. We are repeating this until we have all the findings.
  4. Split the findings per AWS Account ID.
  5. In parallel, calculate the score based on the findings.
  6. Publish the results to CloudWatch metrics. The metric will have the workload name and environment as dimensions.
There are 3 supported flavors:
  • The security standards from AWS Security Hub.
  • Conformance packs deployed in the organization.
  • List of custom AWS Config rules.
For the conformance packs there is one more step. We need to get the number of rules available within the conformance pack. The reason for this is that controls that are compliant are not visible in Security Hub. This would lead to an incorrect calculation of the security score.


When you need one of the following:
  • Historical insight in yous security posture.
  • Compliance scores of your conformance pack.
  • Dashboards with the scores of all environments of a workload.
You need to do some manual labor as it is not supported by AWS. I hope I peaked your interest to check out the aws-security-posture project.