{"id":46380108,"url":"https://github.com/conijnio/aws-security-posture","last_synced_at":"2026-03-05T06:03:08.231Z","repository":{"id":198160654,"uuid":"699343616","full_name":"conijnio/aws-security-posture","owner":"conijnio","description":"Keep a historic overview of your compliance scores per workload","archived":false,"fork":false,"pushed_at":"2024-12-18T10:33:42.000Z","size":1372,"stargazers_count":4,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2024-12-18T11:36:53.628Z","etag":null,"topics":["compliance","security"],"latest_commit_sha":null,"homepage":"https://conijn.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/conijnio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-02T12:58:33.000Z","updated_at":"2024-12-18T10:33:52.000Z","dependencies_parsed_at":"2024-12-18T11:33:55.675Z","dependency_job_id":"7de2893e-aece-48aa-b19f-91a2ad18b39a","html_url":"https://github.com/conijnio/aws-security-posture","commit_stats":null,"previous_names":["conijnio/aws-security-posture"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/conijnio/aws-security-posture","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conijnio%2Faws-security-posture","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conijnio%2Faws-security-posture/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conijnio%2Faws-security-posture/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conijnio%2Faws-security-posture/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/conijnio","download_url":"https://codeload.github.com/conijnio/aws-security-posture/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/conijnio%2Faws-security-posture/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30111780,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T03:40:26.266Z","status":"ssl_error","status_checked_at":"2026-03-05T03:39:15.902Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance","security"],"created_at":"2026-03-05T06:03:07.325Z","updated_at":"2026-03-05T06:03:08.222Z","avatar_url":"https://github.com/conijnio.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Security Posture - Solution\n\n[AWS Security Posture](http://github.com/conijnio/aws-security-posture) collects security hub findings on a configurable interval, and extracts meaningful metrics. These metrics are stored in CloudWatch Metrics and can be visualized using CloudWatch DashBoards.\n\n![AWS StepFunctions Example](./assets/images/dashboard_example.png)\n\nThis solution was designed to be hosted in the account where you have your Security Hub aggregation configured. This way\nyou do not need to deploy it in every account individually. It also ensures that all accounts do get a security score.\nWhen there are findings a score is being calculated.\n\nYou will be able to create dashboards like you see here.  The sample above has been created using [`compliance-dashboard.yaml`](./compliance-dashboard.yaml).\nIt assumes that you will have 5 AWS accounts per workload: `build`, `development`, `test`, `acceptance` and `production`.\nYou can easily change this to your own setup.\n\n## Implementation\n\n![AWS StepFunctions Example](./assets/images/state_machine.png)\n\n1. Use the given filter to retrieve all findings, we are fetching 100 findings per invocation.\n2. When there is a `NextToken` we need to collect the rest of the findings.\n3. Check if the fetched findings need to be aggregated. (repeat this until we have all findings)\n4. Split the findings per AWS Account ID.\n5. In parallel, we will now:\n   1. Fetch the account name and extract the workload name and environment.\n   2. Calculate the score based on the findings.\n6. Publish the results to CloudWatch metrics.\n\n## Filters\n\nThe state machine accepts a filter, the format of this filter is the [SecurityHub filter](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AwsSecurityFindingFilters.html)\nitself. So to get all `CIS AWS Foundations benchmark` findings you can use the following filter:\n\n```yaml\nBucket: !Ref FindingsBucket\nReport: cis-aws-foundations-benchmark-v1.2.0\nSubscriptionArn: !Sub arn:aws:securityhub:${AWS::Region}:${AWS::AccountId}:subscription/cis-aws-foundations-benchmark/v/1.2.0\nFilter:\n   GeneratorId:\n     - Comparison: PREFIX\n       Value: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0\n   RecordState:\n      - Comparison: EQUALS\n        Value: ACTIVE\n   WorkflowStatus:\n      - Comparison: EQUALS\n        Value: NEW\n      - Comparison: EQUALS\n        Value: NOTIFIED\n```\n\nBy default, the following generators are used to generate the compliance scores:\n\n- `arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0`\n- `aws-foundational-security-best-practices/v/1.0.0`\n\n### Using conformance packs\n\nYou can also generate compliance scores based on a conformance pack. You need to supply the conformance pack name.\nAnd you need to use a common prefix in all of your config rules.\n\n```yaml\nBucket: !Ref FindingsBucket\nReport: lz-standard\nConformancePack: !Ref ConformancePack\nFilter:\n  Title:\n    - Comparison: PREFIX\n      Value: lz-\n  RecordState:\n    - Comparison: EQUALS\n      Value: ACTIVE\n  WorkflowStatus:\n    - Comparison: EQUALS\n      Value: NEW\n    - Comparison: EQUALS\n      Value: NOTIFIED\n```\n\nThe name of the conformance pack is used to query all rules in the pack. SecurityHub will only display failed config rules.\nWe need to total number of controls to calculate the actual compliance score.\n\n### Using custom rules\n\nYou can also generate compliance scores based on a custom rules. You need to supply the list of rules that are part of your report.\nAnd you need to use a common prefix in all of your config rules.\n\n```yaml\nBucket: !Ref FindingsBucket\nReport: lz-standard\nCustomRules:\n   - lz-my-rule-1\n   - lz-my-rule-2\n   - lz-my-rule-3\n   - lz-my-rule-4\nFilter:\n  Title:\n    - Comparison: PREFIX\n      Value: lz-\n  RecordState:\n    - Comparison: EQUALS\n      Value: ACTIVE\n  WorkflowStatus:\n    - Comparison: EQUALS\n      Value: NEW\n    - Comparison: EQUALS\n      Value: NOTIFIED\n```\n\nThe name of the conformance pack is used to query all rules in the pack. SecurityHub will only display failed config rules.\nWe need to total number of controls to calculate the actual compliance score.\n\n## Getting started\n\nThis solution uses [SAM (AWS Serverless Application Model)](https://aws.amazon.com/serverless/sam/) to deploy the resources.\nOne of the reasons to choice SAM is that it comes with an easy way to build and package AWS Lambda functions.\n\nYou can use the supplied `buildspec.yml` to build the solution via [AWS CodePipeline](https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html) \u0026 [AWS CodeBuild](https://docs.aws.amazon.com/codebuild/latest/userguide/welcome.html). Afterward, you can deploy the solution using the generated `packaged-template.yaml` and `configuration.json` using [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) in the same pipeline.\n\nBuilding and deploying the solution:\n\n```shell\n# Builds the solution\nmake build\n\n# Deploys the solution\nmake deploy\n```\n\n## Running golang environment locally\n\nYou can run this project in a local container with the following command:\n\n```shell\ndocker run --rm -it -v $(pwd):/go/aws-security-posture public.ecr.aws/docker/library/golang:latest\ncd /go/aws-security-posture\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconijnio%2Faws-security-posture","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconijnio%2Faws-security-posture","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconijnio%2Faws-security-posture/lists"}