How to share security telemetry per OU using Amazon Security Lake and AWS Lake Formation

Half 3 of a 3-part sequence

Half 1 – Aggregating, looking, and visualizing log information from distributed sources with Amazon Athena and Amazon QuickSight

Half 2 – The way to visualize Amazon Safety Lake findings with Amazon QuickSight

That is the ultimate a part of a three-part sequence on visualizing safety information utilizing Amazon Safety Lake and Amazon QuickSight. Partially 1, Aggregating, looking, and visualizing log information from distributed sources with Amazon Athena and Amazon QuickSight, you discovered how one can visualize metrics and logs centrally with QuickSight and AWS Lake Formation regardless of the service or software producing them. Partially 2, The way to visualize Amazon Safety Lake findings with Amazon QuickSight , you discovered combine Amazon Athena with Safety Lake and create visualizations with QuickSight of the info and occasions captured by Safety Lake.

For corporations the place safety administration and possession are distributed throughout a single group in AWS Organizations, it’s vital to have a mechanism for securely sharing and visualizing safety information. This may be achieved by enriching information inside Safety Lake with organizational unit (OU) construction and account tags and utilizing AWS Lake Formation to securely share information throughout your group on a per-OU foundation. Customers can then analyze and visualize safety information of solely these AWS accounts within the OU that they’ve been granted entry to. Enriching the info permits customers to successfully filter data utilizing business-specific standards, minimizing distractions and enabling them to focus on key priorities.

Distributed safety possession

It’s commonplace to seek out safety possession distributed throughout a company in AWS Organizations. Take for instance a mother or father firm with authorized entities working beneath it, that are answerable for the safety posture of the AWS accounts inside their traces of enterprise. Not solely is every entity accountable for managing and reporting on safety inside its space, it should not be capable to view the safety information of different entities throughout the identical group.

On this submit, we focus on a typical instance of distributing dashboards on a per-OU foundation for visualizing safety posture measured by the AWS Foundational Safety Greatest Practices (FSBP) normal as a part of AWS Safety Hub. On this submit, you discover ways to use a easy software revealed on AWS Samples to extract OU and account tags out of your group and robotically create row-level safety insurance policies to share Safety Lake information to AWS accounts you specify. On the finish, you’ll have an aggregated dataset of Safety Hub findings enriched with AWS account metadata that you need to use as a foundation for constructing QuickSight dashboards.

Though this submit focuses on sharing Safety Hub information via Safety Lake, the identical steps will be carried out to share any information—together with Safety Hub findings in Amazon S3—in keeping with OU. You’ll want to guarantee any tables you need to share comprise an AWS account ID column and that the tables are managed by Lake Formation.

Conditions

This resolution assumes you have got:

Adopted the earlier posts on this sequence and perceive how Safety Lake, Lake Formation, and QuickSight work collectively.
Enabled Safety Lake throughout your group and have arrange a delegated administrator account.
Configured Safety Hub throughout your group and have enabled the AWS FSBP normal.

Instance group

AnyCorp Inc, a fictional group, desires to supply safety compliance dashboards to its two subsidiaries, ExampleCorpEast and ExampleCorpWest, so that every solely has entry to information for his or her respective corporations.

Every subsidiary has an OU beneath AnyCorp’s group in addition to a number of nested OUs for every line of enterprise they function. ExampleCorpEast and ExampleCorpWest have their very own safety groups and every operates a safety tooling AWS account and makes use of QuickSight for visibility of safety compliance information. AnyCorp has carried out Safety Lake to centralize the gathering and availability of safety information throughout their group and has enabled Safety Hub and the AWS FSBP normal throughout each AWS account.

Determine 1: Overview of AnyCorp Inc OU construction and AWS accounts

Word: Though this submit describes a fictional OU construction to show the grouping and distribution of safety information, you’ll be able to substitute your particular OU and AWS account particulars and obtain the identical outcomes.

Logical structure

Determine 2: Logical overview of resolution parts

The answer consists of the next core parts:

An AWS Lambda operate is deployed into the Safety Lake delegated administrator account (Account A) and extracts AWS account metadata for grouping Safety Lake information and manages safe sharing via Lake Formation.
Lake Formation implements row-level safety utilizing information filters to limit entry to Safety Lake information to solely information from AWS accounts in a specific OU. Lake Formation additionally manages the grants that enable shopper AWS accounts entry to the filtered information.
An Amazon Easy Storage Service (Amazon S3) bucket is used to retailer metadata tables that the answer makes use of. Apache Iceberg tables are used to permit record-level updates in S3.
QuickSight is configured inside every information shopper AWS account (Account B) and is used to visualise the info for the AWS accounts inside an OU.

Deploy the answer

You’ll be able to deploy the answer via both the AWS Administration Console or the AWS Cloud Growth Equipment (AWS CDK).

To deploy the answer utilizing the AWS Administration Console, observe these steps:

Obtain the CloudFormation template.
In your Amazon Safety Lake delegated administrator account (Account A), navigate to create a brand new AWS CloudFormation stack.
Underneath Specify a template, select Add a template file and add the file downloaded within the earlier step. Then select Subsequent.
Enter RowLevelSecurityLakeStack because the stack identify.

The desk names utilized by Safety Lake embody AWS Area identifiers that you simply may want to alter relying on the Area you’re utilizing Safety Lake in. Edit the next parameters if required after which select Subsequent.

MetadataDatabase: the identify you need to give the metadata database.

Default: aws_account_metadata_db

SecurityLakeDB: the Safety Lake database as registered by Safety Lake.

Default: amazon_security_lake_glue_db_ap_southeast_2

SecurityLakeTable: the Safety Lake desk you need to share.

Default: amazon_security_lake_table_ap_southeast_2_sh_findings_1_0

On the Configure stack choices display screen, depart all different values as default and select Subsequent.
On the subsequent display screen, navigate to the underside of the web page and choose the checkbox subsequent to I acknowledge that AWS CloudFormation may create IAM assets. Select Submit.

The answer takes about 5 minutes to deploy.

To deploy the answer utilizing the AWS CDK, observe these steps:

Obtain the code from the row-level-security-for-amazon-security-lake GitHub repository, the place it’s also possible to contribute to the pattern code. The CDK initializes your setting and uploads the Lambda belongings to Amazon S3. Then, deploy the answer to your account.
For a CDK deployment, you’ll be able to edit the identical Area identifier parameters mentioned within the CloudFormation deployment possibility by enhancing the cdk.context.json file and altering the metadata_database, security_lake_db, and security_lake_table values if required.
When you’re authenticated within the Safety Lake delegated administrator account, you’ll be able to bootstrap the account and deploy the answer by operating the next instructions:

cdk bootstrapcdk deploy

Configuring the answer within the Safety Lake delegated administrator account

After the answer has been efficiently deployed, you’ll be able to evaluation the OUs found inside your group and specify which shopper AWS accounts (Account B) you need to share OU information with.

To specify AWS accounts to share OU safety information with, observe these steps:

Whereas within the Safety Lake delegated administrator account (Account A), go to the Lake Formation console.
To view and replace the metadata found by the Lambda operate, you first should grant your self entry to the tables the place it’s saved. Choose the radio button for aws_account_metadata_db. Then, beneath the Motion dropdown menu, choose Grant.

Determine 3: Making a grant in your IAM function

On the Grant information permissions web page, beneath Principals, choose the IAM customers and roles dropdown and choose the IAM function that you’re at the moment logged in as.
Underneath LF-Tags or catalog assets, choose the Tables dropdown and choose All tables.

Determine 4: Selecting All Tables for the grant

Underneath Desk permissions, choose Choose, Insert, and Alter. These permissions allow you to view and replace the info within the tables.
Go away all different choices as default and select Grant.
Now go to the AWS Athena console.

Word: To make use of Athena for queries it’s essential to configure an S3 bucket to retailer question outcomes. If that is the primary time Athena is being utilized in your account, you’ll obtain a message saying that it’s worthwhile to configure an S3 bucket. To do that, choose the Edit settings button within the blue data discover and observe the directions.

On the left facet, choose aws_account_metadata_db> because the Database. You will notice aws_account_metadata and ou_groups >as tables throughout the database.

Determine 5: Record of tables beneath the aws_accounts_metadata_db database

To view the OUs obtainable inside your group, paste the next question into the Athena question editor window and select Run.

Subsequent, it’s essential to specify an AWS account you need to share an OU’s information with. Run the next SQL question in Athena and exchange <AWS account Id> and <OU to assign> with values out of your group:

Within the instance group, all ExampleCorpWest safety information is shared with AWS account 123456789012 (Account B) utilizing the next SQL question:

Word: It’s essential to specify the complete OU path starting with OU=root.

Repeat this course of for every OU you need to assign totally different AWS accounts to.

Word: You’ll be able to solely assign one AWS account ID to every OU group

You’ll be able to affirm that modifications have been utilized by operating the Athena question from Step 3 once more.

You must see the AWS account ID you specified subsequent to your OU.

Determine 6: Shopper AWS account listed towards ExampleCorpWest OU

Invoke the Lambda operate manually

By default, the Lambda operate is scheduled to run hourly to watch for modifications to AWS account metadata and to replace Lake Formation sharing permissions (grants) if wanted. To carry out the remaining steps on this submit with out having to attend for the hourly run, it’s essential to manually invoke the Lambda operate.

To invoke the Lambda operate manually, observe these steps:

Open the AWS Lambda console.
Choose the RowLevelSecurityLakeStack-* Lambda operate.
Underneath Code supply, select Check.
The Lambda operate doesn’t take any parameters. Enter rl-sec-lake-test because the Occasion identify and depart all different choices because the default. Select Save.
Select Check once more. The Lambda operate will take roughly 5 minutes to finish in an setting with lower than 100 AWS accounts.

After the Lambda operate has completed, you’ll be able to evaluation the info cell filters and grants which have been created in Lake Formation to securely share Safety Lake information together with your shopper AWS account (Account B).

To evaluation the info filters and grants, observe these steps:

Open the Lake Formation console.
Within the navigation pane, choose Knowledge filters beneath Knowledge catalog to see an inventory of information cells filters which have been created for every OU that you simply assigned a shopper AWS account to. One filter is created per desk. Every shopper AWS account is granted restricted entry to the aws_account_metadata desk and the aggregated Safety Lake desk.

Determine 7: Viewing information filters in Lake Formation

Choose one of many filters within the record and select Edit. Edit information filter shows details about the filter such because the database and desk it’s utilized to, in addition to the Row filter expression that enforces row-level safety to solely return rows the place the AWS account ID is within the OU it applies to. Select Cancel to shut the window.

Determine 8: Particulars of a knowledge filter exhibiting row filter expression

To see how the filters are used to grant restricted entry to your tables, choose Knowledge lake permission beneath Permissions from navigation pane. Within the search bar beneath Knowledge permissions, enter the AWS account ID in your shopper AWS account (Account B) and press Enter. You will notice an inventory of all of the grants utilized to that AWS account. Scroll to the correct to see a column titled Useful resource that lists the names of the info cell filters you noticed within the earlier step.

Determine 9: Grants to the info shopper account for information filters

Now you can transfer on to establishing the buyer AWS account.

Configuring QuickSight within the shopper AWS account (Account B)

Now that you simply’ve configured the whole lot within the Safety Lake delegated administrator account (Account A), you’ll be able to configure QuickSight within the shopper account (Account B).

To verify you’ll be able to entry shared tables, observe these steps:

Sign up to your shopper AWS account (additionally identified  as Account B).
Observe the identical steps as outlined on this earlier submit (NEEDS 2ND POST IN SERIES LINK WHEN LIVE) to simply accept the AWS Useful resource Entry Supervisor invitation, create a brand new database, and create useful resource hyperlinks for the aws_account_metadata and amazon_security_lake_table_<area>_sh_findings_1_0 tables which have been shared together with your shopper AWS account. Ensure you create useful resource hyperlinks for each tables shared with the account. When carried out, return to this submit and proceed with step 3.
[Optional] After the useful resource hyperlinks have been created, check that you simply’re in a position to question the info by choosing the radio button subsequent to the aws_account_metadata useful resource hyperlink, choose Actions, after which choose View information beneath Desk. This takes you to the Athena question editor the place now you can run queries on the shared tables.

Determine 10: Choosing View information in Lake Formation to open Athena

Word: To make use of Athena for queries it’s essential to configure an S3 bucket to retailer question outcomes. If that is the primary time utilizing Athena in your account, you’ll obtain a message saying that it’s worthwhile to configure an S3 bucket. To do that, select Edit settings within the blue data discover and observe the directions.

Within the Editor configuration, choose AwsDataCatalog from the Knowledge supply choices. The Database ought to be the database you created within the earlier steps, for instance security_lake_visualization. After choosing the database, copy the SQL question that follows and paste it into your Athena question editor, and select Run. You’ll solely see rows of account data from the OU you beforehand shared.

Subsequent, to complement your Safety Lake information with the AWS account metadata it’s worthwhile to create an Athena View that may be part of the datasets and filter the outcomes to solely return findings from the AWS Foundational Safety Greatest Practices Customary. You are able to do this by copying the beneath question and operating it within the Athena question editor.

The SQL above performs a subquery to seek out solely these findings within the Safety Lake desk which are from the AWS FSBP normal after which joins these rows with the aws_account_metadata desk primarily based on the AWS account ID. You’ll be able to see it has created a brand new view listed beneath Views containing enriched safety information you can import as a dataset in QuickSight.

Determine 11: Further view added to the security_lake_visualization database

Configuring QuickSight

To carry out the preliminary steps to arrange QuickSight within the shopper AWS account, you’ll be able to observe the steps listed within the second submit on this sequence. It’s essential to additionally present the next grants to your QuickSight person:

Kind
Useful resource
Permissions

GRANT
security_hub_fsbps_joined_view
SELECT

GRANT
aws_metadata_db (useful resource hyperlink)
DESCRIBE

GRANT
amazon_security_lake_table_<area>_sh_findings_1_0 (useful resource hyperlink)
DESCRIBE

GRANT ON TARGET
aws_metadata_db (useful resource hyperlink)
SELECT

GRANT ON TARGET
amazon_security_lake_table_<area>_sh_findings_1_0 (useful resource hyperlink)
SELECT

To create a brand new dataset in QuickSight, observe these steps:

After your QuickSight person has the mandatory permissions, open the QuickSight console and confirm that you simply’re in identical Area the place Lake Formation is sharing the info.
Add your information by selecting Datasets from the navigation pane after which choosing New dataset. To create a brand new dataset from new information sources, choose Athena.
Enter a knowledge supply identify, for instance security_lake_visualization, depart the Athena workgroup as [ primary ]. Then select Create information supply.
The following step is to pick the tables to construct your dashboards. On the Select your desk immediate, for Catalog, choose AwsDataCatalog. For Database, choose the database you created within the earlier steps, for instance security_lake_visualization. For Desk, choose the security_hub_fsbps_joined_view you created beforehand and select Edit/Preview information.

Determine 12 – Selecting the joined dataset in QuickSight

You’ll be taken to a display screen the place you’ll be able to preview the info in your dataset.

Determine 13: Previewing information in QuickSight

After you affirm you’re in a position to preview the info from the view, choose the SPICE radio button within the backside left of the display screen after which select PUBLISH & VISUALIZE.
Now you can create analyses and dashboards from Safety Hub AWS FSBP normal findings per OU and filter information primarily based on enterprise dimensions obtainable to you thru OU construction and account tags.

Determine 14: QuickSight dashboard exhibiting solely ExampleCorpWest OU information and incorporating enterprise dimensions

Clear up the assets

To scrub up the assets that you simply created for this instance:

Sign up to the Safety Lake delegated admin account and delete the CloudFormation stack by both:

Utilizing the CloudFormation console to delete the stack, or
Utilizing the AWS CDK to run cdk destroy in your terminal. Observe the directions and enter y when prompted to delete the stack.

Take away any information filters you created by navigating to information filters inside Lake Formation, choosing every one and selecting Delete.

Conclusion

On this remaining submit of the sequence on visualizing Safety Lake information with QuickSight, we launched you to utilizing a software—obtainable from AWS Samples—to extract OU construction and account metadata out of your group and use it to securely share Safety Lake information on a per-OU foundation throughout your group. You discovered enrich Safety Lake information with account metadata and use it to create row-level safety controls in Lake Formation. You have been then in a position to handle a typical instance of distributing safety posture measured by the AWS Foundational Safety Greatest Practices normal as a part of AWS Safety Hub.

In case you have suggestions about this submit, submit feedback within the Feedback part beneath. In case you have questions on this submit, contact AWS Assist.

Chris Lamont-Smith

Chris is a Senior Safety Advisor working within the Safety, Threat and Compliance staff for AWS ProServe primarily based out of Perth, Australia. He enjoys working within the space the place safety and information analytics intersect, and is obsessed with serving to clients achieve actionable insights from their safety information. When Chris isn’t working, he’s out tenting or off-roading together with his household within the Australian bush.