AWS Cloud Operations Blog
Centralized Dashboard for AWS Config and AWS Security Hub
Back in July 2022, we announced AWS config compliance scores for conformance packs which helps you quantify your compliance posture as an Amazon CloudWatch metric. It’s a quantitative measure of compliance status. While customers can have hundreds of AWS accounts where AWS Config is enabled and each account and each AWS Region have a different compliance score. While we can currently track the compliance status with an aggregated score, it is important to look at compliance scores for every account and every region to check the progress made by every team.
AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices. AWS Security Hub uses service-linked rules from AWS Config to run security checks for most controls. Security Hub also displays a security score from 0–100 percent for each enabled standard.
In this blog post, we will show you how you can create Amazon CloudWatch Dashboard using a custom metric to have a centralized dashboard for monitoring multi-account , multi-Region compliance scores for AWS Config and also for AWS Security Hub.
Architecture
Prerequisites
To utilize our solution, you need the following tools:
- AWS CLI – Install the AWS CLI
- SAM CLI – Install the SAM CLI. The Serverless Application Model Command Line Interface (SAM CLI) is an extension of the AWS CLI that adds functionality for building and testing Lambda applications.
- Python 3.8 – Install Python
Download the solution
The application has 2 directories:
- aws_status_check_app – A SAM Application with AWS Lambda functions and AWS CloudFormation Template (template.yaml) to deploy the resources by using SAM CLI. This application is deployed in the AWS Organization management account.
- StacksetCFTemplate – This directory contains an AWS CloudFormation StackSet templatefile that defines the IAM Role and IAM Policy deployed on the member accounts. This IAM Policy and IAM Role is necessary on the member accounts for the application to assumeRole and gather AWS service status.
How to build and deploy this application
- Build the application with the
sam buildcommand after navigating into the aws_status_check_app directory. - This second command will package and deploy your application to AWS, with a series of prompts:
- Stack Name: aws-status-check-app
- AWS Region: – AWS Region where this solution will be deployed.
- Parameter CheckFrequencyInterval – This parameter defines how often the Lambda function executes to check for the AWS Config status. Allowed Values are “rate(1 day)”, “rate(12 hours)”, “rate(6 hours)”, “rate(3 hours)”, “rate(1 hour)”.
- Parameter CheckAllAccountsinOrgCondition – If set to true, MemberAccountIds Parameter is ignored, and the application checks the status of AWS Config in all accounts/regions across the AWS Organization. If set to false, proceed to setting the MemberAccountIds parameter. Allowed values are “true” or “false”.
- Parameter MemberAccountIds – If parameter CheckAllAccountsinOrgCondition is set to false, enter a comma separated list of AWS account ids where you want the application to check for AWS Config Status. Leave this parameter to its default value, if you set CheckAllAccountsinOrgCondition to true. [Eg: 12345634344,434345555333,455454545324]
- Confirm changes before deploy: If set to yes, any change sets will be shown to you before execution for manual review. If set to no, the AWS SAM CLI will automatically deploy application changes.
- Allow SAM CLI IAM role creation: To deploy this application’s AWS CloudFormation stack which creates or modifies IAM roles, the
CAPABILITY_IAMvalue forcapabilitiesmust be provided. If permission isn’t provided through this prompt, to deploy this example you must explicitly pass--capabilities CAPABILITY_IAMto thesam deploycommand. - Save arguments to samconfig.toml: If set to yes, your choices will be saved to a configuration file inside the project, so that in the future you can just re-run
sam deploywithout parameters to deploy changes to your application. - Create an AWS CloudFormation StackSet using AWS CLI. Make sure you have the required permissions for stack sets operations. Provide the AWS management account ID where this StackSet will be deployed
- Create an AWS CloudFormation Stack Instances by using AWS CLI. Provide the OrganizationalUnitIds of the member accounts to which the stack instances are deployed.
Sample Output:
sample output:
sample output:
sample output:
Troubleshooting the Lambda function
-
In order to simplify troubleshooting, SAM CLI has a command called sam logs. sam logs lets you fetch logs generated by your deployed Lambda function from the command line. In addition to printing the logs on the terminal, this command has several useful features to help you quickly find the bug.
Create CloudWatch Dashboard using custom metrics
- After a few minutes, log in to the Amazon CloudWatch console to view custom metrics under the Custom namespace named CustomMetrics/Config and CustomMetrics/SecurityHub.
- Follow the steps here to create CloudWatch dashboard from custom metrics. Below is the sample centralized dashboard for compliance scores and Security Hub security score.
Cleanup
- To delete the awsstatuscheck application that you created, use the SAM CLI.
- Delete the Stack Instances from AWS CloudFormation StackSet using AWS CLI.
- Wait for Step 2 to finish. Then, delete the AWS CloudFormation StackSet using AWS CLI.
sample output:
Conclusion
-
In this blog post, we showed you how to create custom metrics to create a centralized dashboard for monitoring multi-account, multi-Region compliance scores for AWS Config and also for AWS Security hub. We further used these custom metrics to create a centralized security dashboard using Amazon CloudWatch dashboard.