We at Essent
rely on Amazon AWS to run most of our workloads.
Security is one of the six pillars of the Amazon AWS Well-Architected Framework
, and is an area we take very seriously.
As we continue to grow and shift increasingly toward cloud-managed services, the number of our accounts and assets also increases. To maintain insight and control we, the Cloud Platform team, found it crucial to create a centralized dashboard and data lake for our security findings.
This dashboard enables us to:
- Empower our domain teams to take ownership of the security findings discovered in the software they build and manage.
- Provide the security and leadership teams with a holistic overview of the number of resolved incidents and current findings.
To propagate this information to the dashboard, we have devised the following solution:
Let's break this solution down.
Member Accounts: These are accounts from which we want to aggregate security findings. For each account, we deploy two key components:
- Event Forwarding Component: This forwards all security findings from the AWS Security Hub to the admin account via EventBridge.
- Lambda for Auto-Cleaning: This is designed to automatically remove any resolved security findings, ensuring that we don't have any false positives. The lambda is triggered by events like EC2 shutdowns or S3 deletions so that any security findings related to these resources are not added to our data lake.
Centralized (Admin Account): This is the account where all events are forwarded. It consists mainly of four components:
- Event Aggregation: A custom EventBridge rule triggers based on incoming events from different accounts. This targets Kinesis Firehose, which reliably loads real-time streams into a unified S3 storage, forming a data lake entry point for further steps.
- Cleaning and Formatting: A crucial step is to format the incoming S3 data in a manner that can be understood by other AWS data integration services. We accomplish this through a Lambda function that listens for any new files arriving in S3.
- Data Analysis: This is conducted using AWS Glue and AWS Athena to transform the data into meaningful, business-related information. Think of Athena as a tool for querying S3 files in a database-style format (SQL-like queries), and Glue as a serverless data integration service.
- Data Presentation: This is the final step, where we display the security findings, team-related resources, and data in easily understandable diagrams and clear statistics. We use Amazon QuickSight for this, as it can easily integrate with various data sources and create interactive dashboards and diagrams. A notable feature of QuickSight is its ability to link with our AD, allowing any employee within E.ON/Essent to be easily added and access the dashboard.
If you have any questions, suggestions, or alternative ideas to achieve the same goal, please share them in the comments!