AWS Cloud Operations Blog

Assess Resilience at Scale by using Amazon QuickSight and Amazon Resilience Hub

AWS Resilience Hub helps you to manage and improve the resilience posture of your applications on AWS. It enables you to define your resilience goals, assess your resilience posture against those goals, and implement recommendations for improvement based on the AWS Well-Architected Framework.

This benefits individual teams that want to assess their applications. However, for larger customers, it’s critical to have a centralized view of your AWS Organization’s overall resilience posture. This can quickly become a challenge if your Organization has multi-account strategy and manages multiple applications across accounts. Amazon QuickSight helps bring resilience information within a centralized dashboard for a quick overview.

In this blog post, we will walk you through how to bring AWS Resilience Hub and Amazon QuickSight together to build an organizational view of your resilience posture.

Pre-requisites

Before implementing this solution, you will need to complete the following prerequisites:
• Define and assess one or more applications using AWS Resilience Hub. For more information on enabling AWS Resilience Hub, see this blog.
• Identify an account as your Resilience Data Aggregator account. This account should have delegated admin access to deploy Amazon CloudFormation stacks in linked accounts. Review how to register a delegated administrator to run CloudFormation StackSets.
• If you do not already have one, sign up for an Amazon QuickSight subscription.

Solution Overview

After applications have been defined and assessed within Resilience Hub, a time-based event from Amazon EventBridge invokes an AWS Lambda function.

1. The Lambda function makes API calls to Resilience Hub and retrieves and aggregates resilience data for all applications defined within Resilience Hub. It generates a CSV file using the aggregated data.
2. The Lambda function uploads this CSV file to a central Amazon Simple Storage Service (Amazon S3) bucket.
3. This data in S3 bucket is then ingested into an AWS Athena table.
4. A QuickSight dashboard is created using Athena table as dataset that contains various visuals to provide an aggregate view of resilience across all applications assessed by Resilience Hub.

Solution Architecture
Figure 1: Resilience data aggregator architecture with multi-account Organization

Walkthrough

Resilience Hub can be programmatically accessed using its APIs. These APIs can be used to perform a variety of tasks such as defining and onboarding applications, setting recovery targets, running assessments, and in this case, retrieving application and assessment data.

This solution uses a Lambda function deployed in the Resilience-Data-Aggregator account that makes API calls to collect resilience data for applications defined and assessed in Resilience Hub from the linked accounts. The function does some minor processing of the responses before generating a CSV file and storing it in a centralized Amazon S3 bucket. The main Resilience Hub APIs used by the function are:
ListApps – retrieves all applications defined in the linked accounts
DescribeApp – describes an application
ListAppAssessments – retrieves list of assessments for an application
DescribeAppAssessment – describes an assessment for an application

Download the solution

You can use AWS CloudFormation to deploy the resources required for this solution:
• Lambda function
• EventBridge Rule
• Centralized S3 bucket
Identity and Access Management (IAM) permissions

The solution uses 2 CloudFormation stacks:
ResHubAdminAccountCfn: This stack is deployed in the Resilience-Data-Aggregator account to provision the centralized S3 bucket, Lambda function and Eventbridge Rule. You can provide the linked accounts to be aggregated as a parameter.
ResHubLinkedAccountCfn: This stack is deployed in the linked accounts where Resilience Hub is enabled, and resilience data needs to be aggregated. Using the delegated administrator account as described in pre-requisites, you can deploy this stack into different linked accounts. It would provision the IAM role to allow the Lambda function to pull the resilience data from Resilience Hub. For more information, see AWS CloudFormation StackSets.

The Lambda function aggregates the files from each linked account to the central S3 bucket. The next step, then, is to import this data into Amazon QuickSight. This can be achieved in 2 ways:
• Use S3 bucket to create a dataset in Amazon QuickSight
• Or Use Athena to create a dataset from multiple S3 files
In this blog post, we are using the Athena Table to ingest the data from multiple S3 files. This eliminates the need of creating and updating a manifest file manually.

Create Athena Table from S3

Next, we’ll use AWS Athena to create a table using the data in the S3 bucket.
1. Navigate to Athena in AWS console.
2. From the Database menu, choose the database for which you want to create a table. If you don’t specify a database in your CREATE TABLE statement, the table is created in the database that is currently selected in the query editor.
3. Enter the following in the query editor, and then choose Run, or press Ctrl+ENTER.


CREATE EXTERNAL TABLE rhub_central_assessment_data(
  accountid STRING,
  applicationname STRING,
  assessmentname STRING,
  assessmentcompliancestatus STRING,
  endtime STRING,
  estimatedrto INTEGER,
  estimatedrpo INTEGER,
  targetrto INTEGER,
  targetrpo INTEGER,
  applicationcompliancestatus STRING,
  resiliencyscore DECIMAL(10,2),
  lastassessed STRING,
  applicationtier STRING,
  region STRING
)
ROW FORMAT DELIMITED
  FIELDS TERMINATED BY ','
STORED AS INPUTFORMAT
  'org.apache.hadoop.mapred.TextInputFormat'
OUTPUTFORMAT
  'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION
  's3://central-resilience-assessment/resilienceHubReports'
TBLPROPERTIES (
  'skip.header.line.count'='1'
);

Create Amazon QuickSight dataset using Athena Table

To begin visualizing Resilience Hub Assessments in Amazon QuickSight, create a dataset using the Athena table created by the query in previous section.

Choose the table to build the QuickSight Dataset

Figure 2: How to choose the table to create QuickSight dataset

Note: Please wait until the import is completed. This would depend on the volume of data being imported.

Once the dataset is created, review the datatypes to ensure the field values are reflected by the datatype accurately. In this case, we changed the datatype for date fields from string to Date using the guidance provided here.
You are now ready to create an analysis from the dataset that you imported. Click on “Use in Analysis” to start building.


Figure 3: Use the dataset in an Analysis

We built a sample dashboard using the columns available in the dataset. See the guidance on adding visuals to a QuickSight dashboards. This dashboard shows:
• Number of unique applications assessed by Amazon Resilience Hub across organization
• Average Resilience Score across organization
• Number of accounts where Resilience Hub is enabled
• Number of regions assessed where applications have presence
• Applications by compliance status
• Resilience Score Trends per application over a period

Sample Dashboard
Figure 4: Sample Dashboard

This is an example of how you can build centralized visuals using the resilience data across your AWS Organization. You can customize the data pulled by the Lambda using additional Resilience Hub APIs and build visuals that are important to your business.

Additionally, with Amazon Q in QuickSight, you can further enhance this dashboard. Business users can use natural language to build, discover, and share meaningful insights from your resilience data in seconds, turning insights into impact faster. For more information on a similar approach, see blog post that integrates CloudTrail with Amazon Q in QuickSight.

Clean Up

It’s a best practice to clean up any resources that you do not plan to continue using. This would avoid any unexpected charges.
• To remove any resources created by the CloudFormation, you can delete the stack. For more details see, How to delete a CloudFormation stack.
Drop the Athena table
• We recommend that you delete the QuickSight Analysis, QuickSight Dashboard and QuickSight Dataset created for this solution.

Conclusion

In this post, we walked you through the steps to enable users across your AWS Organization to visualize and assess resilience of your applications using a centralized dashboard. We also demonstrated how you can use CloudFormation to deploy AWS services such as Lambda and S3 to export Resilience Hub assessments as a csv file and visualize this information in QuickSight dashboards. This helps provide your leadership and decision makers with a centralized view of your AWS Organization’s overall resilience posture. The aws-resilience-hub-tools repository also contains other assets and solutions that can enhance your experience using AWS Resilience Hub.

About the Authors

“”

Snehal Nahar

Snehal Nahar is a Principal Technical Account Manager (Security Specialist) at AWS. She is passionate about building innovative solutions using AWS services to help customers achieve their business objectives. She enjoys spending time with family and friends, playing board games and watching TV.

Subha Kalia

Subha is an Enterprise Support Lead (TAM) at AWS in North Carolina. She has over 17 years of experience in technology across various roles. She is passionate about problem solving on behalf of our customers to reduce operational challenges and friction. Her focus area is AI/ML and Healthcare Life Sciences. Outside work, she enjoys traveling with her family, learning about different cultures and trying different cuisines.

Ravindra Kori

Ravindra Kori is a Solutions Architect and GenAI ambassador at AWS based in Arlington, specializing in Cloud Operations and Serverless technologies. He works extensively with Enterprise and Startup segments, architecting solutions and facilitating AWS modernization and migrations. Outside of work, he finds joy in playing drums and spending quality time with family.