The Problem: Security Visibility at Scale

In modern cloud environments, security vulnerabilities don’t announce themselves. They hide in:

• Outdated packages in Lambda functions
• Unpatched EC2 instances running critical workloads
• Container images with known CVEs in ECR
• Misconfigured security groups exposing services to the internet

The Challenge: Organizations using AWS face a fragmented security landscape:

• Security Hub aggregates findings but lacks actionable remediation
• Inspector scans for CVEs but doesn’t prioritize by business impact
• AWS Config checks compliance but doesn’t show cost implications
• Trusted Advisor provides recommendations but requires manual correlation

The Result: Security teams spend hours:

1. Manually correlating findings across multiple AWS services
2. Determining which vulnerabilities to fix first
3. Finding the exact commands to remediate issues
4. Tracking unused resources that increase attack surface

Our Solution: An Intelligent, Unified Security Dashboard

We built a comprehensive AWS Security Vulnerability Scanner that:

• Aggregates findings from Security Hub, Inspector, AWS Config, and Trusted Advisor
• Prioritizes vulnerabilities using intelligent scoring
• Provides exact remediation commands
• Identifies cost optimization opportunities
• Delivers an intuitive, scannable interface

Architecture Overview

Technical Implementation

1. Multi-Service Data Collection

Challenge: Each AWS security service returns data in different formats.

Solution: Unified scanner with normalized output:

class AWSSecurityScanner:
def __init__(self, region='us-east-1'):
self.securityhub = boto3.client('securityhub', region_name=region)
self.inspector = boto3.client('inspector2', region_name=region)
self.config = boto3.client('config', region_name=region)
self.support = boto3.client('support', region_name='us-east-1')

def scan_all(self):
findings = {
'security_hub': self.scan_security_hub_findings(),
'inspector': self.scan_inspector_vulnerabilities(),
'config': self.scan_config_compliance(),
'trusted_advisor': self.scan_trusted_advisor()
}
return self.generate_report(findings)

Key Features:

• Parallel API calls for performance
• Error handling for partial failures
• Pagination for large result sets
• Caching to reduce API costs

2. Operational Issue Detection

Beyond CVEs, we detect operational security issues:

class OperationalScanner:
def scan_unused_s3_buckets(self, days_threshold=90):
"""Find S3 buckets with no activity"""
# Check last modified date
# Calculate storage costs
# Generate deletion recommendations

def scan_expiring_certificates(self, days_threshold=30):
"""Find ACM certificates expiring soon"""
# Check NotAfter date
# Prioritize by usage (InUseBy)
# Alert on critical expirations

def scan_idle_load_balancers(self):
"""Find load balancers with no traffic"""
# Query CloudWatch metrics
# Calculate monthly cost waste
# Recommend deletion

Impact: Found $70/month in cost savings in our sandbox account alone.

3. Intelligent Prioritization

Challenge: Not all vulnerabilities are equal. A Critical CVE in a non-production Lambda is less urgent than a High CVE in a public-facing EC2 instance.

Solution: Multi-factor priority scoring:

function isTopPriority(finding) {
const severity = finding.Severity?.Label;
const fixAvailable = finding.Vulnerabilities?.[0]?.FixAvailable;
const ageInDays = calculateAge(finding.CreatedAt);
const isExposed = isInternetExposed(finding);

return (severity === 'CRITICAL' || severity === 'HIGH') &&
fixAvailable === 'YES' &&
ageInDays > 7 &&
isExposed;
}

Priority Factors:

• Severity (CVSS score)
• Fix availability
• Age (older = higher priority)
• Internet exposure
• Environment (production > non-production)

4. User Experience Innovation

Problem: Traditional security dashboards are overwhelming. Users see hundreds of findings with no clear action path.

Our Approach:

Key UX Improvements:

1. Compact Row View - Scan 10+ findings without scrolling
2. Global Filters - Filter by region, service, environment, time
3. Smart Search - Search CVE IDs, instance IDs, package names
4. Linked Remediation - Click vulnerability → See exact fix
5. Copy-Paste Commands - One-click copy of remediation commands
6. Auto-Refresh - Optional 5-minute auto-refresh with toast notifications

Performance Optimizations

1. Efficient Data Loading

// Cache busting for fresh data
const cacheBuster = new Date().getTime();
const response = await fetch(`findings.json?v=${cacheBuster}`);

// Skeleton loading states
function showLoadingState() {
const skeletonHTML = `
<div class="skeleton skeleton-card"></div>
<div class="skeleton skeleton-card"></div>
`;
container.innerHTML = skeletonHTML;
}

2. Client-Side Filtering

All filtering happens client-side for instant response:

function matchesGlobalFilters(finding) {
// Region filter
if (globalFilters.region && finding.Region !== globalFilters.region) {
return false;
}

// Service filter
if (globalFilters.service) {
const resourceType = finding.Resources?.[0]?.Type || '';
if (!resourceType.includes(globalFilters.service)) {
return false;
}
}

// Search filter (fuzzy match)
if (globalFilters.search) {
const searchText = globalFilters.search.toLowerCase();
return title.includes(searchText) ||
cve.includes(searchText) ||
resourceId.includes(searchText);
}

return true;
}

3. Smart Sorting

Multiple sort options with O(n log n) performance:

function sortFindings(findings, sortBy) {
switch(sortBy) {
case 'severity':
return findings.sort((a, b) =>
severityOrder[a.Severity.Label] - severityOrder[b.Severity.Label]
);
case 'cvss':
return findings.sort((a, b) =>
getCVSS(b) - getCVSS(a)
);
case 'age':
return findings.sort((a, b) =>
new Date(a.CreatedAt) - new Date(b.CreatedAt)
);
}
}

Deployment Architecture

Infrastructure as Code

# CloudFormation Template
Resources:
SecurityScannerFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.11
Handler: index.lambda_handler
Timeout: 300
Environment:
Variables:
REPORTS_BUCKET: !Ref SecurityReportsBucket
SNS_TOPIC_ARN: !Ref SecurityAlertsTopic

DailyScanRule:
Type: AWS::Events::Rule
Properties:
ScheduleExpression: 'cron(0 9 * * ? *)'
Targets:
- Arn: !GetAtt SecurityScannerFunction.Arn

Cost Optimization

Monthly Costs (Small Environment):

• Security Hub: $30
• Inspector: $40
• AWS Config: $15
• Lambda: $5
• S3 + CloudFront: $2
• Total: ~$92/month

ROI: Found $70/month in cost savings (idle resources) in first scan.

Results & Impact

Metrics from Sandbox Deployment:

• 73 vulnerabilities identified across 5 services
• 1 Critical (CVE-2025-69264 - pnpm RCE)
• 72 High severity findings
• 7 unused S3 buckets (inactive 100+ days)
• 1 idle load balancer ($20/month waste)
• 1 idle RDS instance ($50/month waste)

Time Savings:

• Before: 2-3 hours to manually correlate findings
• After: 5 minutes to identify and prioritize top issues

User Feedback:

• "Finally, a security dashboard that tells me what to do"
• "The copy-paste commands save so much time"
• "Love the Top Priority filter - shows exactly what needs fixing"

Lessons Learned

UX Matters in Security Tools

• Security teams are overwhelmed with data
• Actionable guidance > Raw findings
• Scannable interfaces > Detailed cards

Integration is Key

• No single AWS service provides complete visibility
• Correlation across services reveals true risk
• Operational issues (cost, unused resources) matter

Prioritization is Critical

• Not all vulnerabilities are equal
• Context matters (environment, exposure, age)
• Fix availability should drive priority

Automation Reduces Toil

• Daily scans catch new issues early
• Auto-generated remediation commands reduce errors
• Toast notifications build trust

Future Enhancements

Automated Remediation

• Auto-patch non-production resources
• Create Jira tickets for manual review
• Track remediation progress

ML-Based Prioritization

• Learn from user actions
• Predict likelihood of exploitation
• Recommend based on similar environments

Compliance Mapping

• Map findings to compliance frameworks (PCI-DSS, HIPAA, SOC 2)
• Generate compliance reports
• Track remediation for audits

Multi-Account Support

• Aggregate findings across AWS accounts
• Organization-wide dashboards
• Role-based access control

Conclusion

Building effective security tools requires more than just collecting data. It requires:

• Intelligent aggregation across multiple sources
• Smart prioritization based on real risk
• Actionable guidance that reduces time-to-fix
• Intuitive UX that security teams actually want to use

Our AWS Security Vulnerability Scanner demonstrates that with thoughtful design and implementation, security tools can be both powerful and delightful to use.

Reach Out to Us

Interested in modernizing your cloud infrastructure and building enterprise-grade solutions? Storm Reply is driven by continuous learning and practical innovation. We specialize in designing and delivering scalable AWS architectures that support customers throughout their cloud journey, from early assessment to production-ready deployment.

With deep experience in AWS architecture, data engineering, and security best practices, we help enterprises migrate with confidence and move faster on their cloud transformation goals.

Let’s connect and explore how we can support your modernization initiatives.

---

Tech Stack:

• Backend: Python 3.11, Boto3
• Frontend: Vanilla JavaScript, HTML5, CSS3
• Infrastructure: AWS Lambda, CloudFormation, S3, SNS
• APIs: Security Hub, Inspector, Config, Trusted Advisor