GraphSecure: AWS Compliance & Security Insights

• GraphSecure is a web-based application that automates AWS CIS Benchmark assessments with interactive, real-time compliance visualization.
• It employs a serverless, microservices architecture using AWS Lambda, DynamoDB, and CloudFormation for scalable multi-account scan orchestration.
• The tool presents comprehensive dashboards with charts and drillable tables that deliver actionable remediation steps for identified security gaps.

GraphSecure is a web-based application designed for advanced analysis and visualization of security scanning results, focusing on automated, real-time compliance assessment for Amazon Web Services (AWS) environments against Center for Internet Security (CIS) Benchmarks. The system tightly integrates CIS rule evaluation, serverless AWS orchestration, and a front-end dashboard, providing statistical charts, drillable tables, and actionable remediation steps for identified compliance gaps (Zhao et al., 12 Dec 2025).

1. System Goals and Justification

GraphSecure addresses the need for scalable, automated security posture assessment in multi-account AWS environments. Its primary objectives are:

• Automation of CIS Benchmark assessment: Allowing users to initiate scans for one or more AWS accounts and validate them against selected CIS Benchmark controls.
• Real-time compliance visualization: Returning scan results as statistical charts and tabular summaries for immediate interpretation.
• Actionable remediation: Presenting granular, CIS-sourced steps to address failed checks directly within the application.

Manual compliance operations with CIS Benchmarks are noted as error-prone and labor-intensive, particularly as the benchmarks' coverage grows. Existing AWS tools (e.g., Trusted Advisor, GuardDuty, AWS Config) are limited in scope—often tied to single accounts or specific rule sets—and do not offer unified, risk-oriented visualizations or integrated remediation guidance. GraphSecure bridges these gaps using a combination of serverless scan orchestration, formal CIS rule evaluation, and interactive dashboards.

2. Architecture and Data Organization

GraphSecure employs a fully serverless, microservices-style architecture. Core system components and their interactions are diagrammed in Figure 1 of the cited paper, summarized as follows:

• CI/CD pipeline: AWS CodeCommit and CodeBuild package the front-end (React + TypeScript) and back-end (Node.js with Lambda and CloudFormation templates).
• Artifact storage and deployment: Amazon S3 for build artifacts; CloudFormation provisioning for API Gateway (REST endpoints), Lambda functions (for scan initiation and result retrieval), DynamoDB tables (results and history), and Cognito for user authentication.
• User workflow: Authentication via Cognito linked to API Gateway, scan requests executed by Lambda functions, and result retrieval for front-end rendering.
• Data model: Raw scan results are stored as JSON per CIS rule check:

{ "scanId": "UUID", "timestamp": "2025-11-28T12:34:56Z", "resourceType": "EC2::Instance", "resourceId": "i-0abcdef1234567890", "cisRuleId": "1.1.0", "category": "IAM", "status": "PASS" }

DynamoDB schema employs a partition key (scanId), sort key (cisRuleId), and attributes for timestamp, resourceType, status, and details (JSON). Data for visualization is aggregated in-memory on the front-end using category and rule indices, prepared for rendering via Chart.js.

3. Methodology: Scanning and Compliance Evaluation

Scan Orchestration

Scans are user-initiated. The workflow proceeds as:

• User selects desired CIS categories and triggers scan via dashboard.
• API Gateway POST /scan request is dispatched to LambdaScanRunner.
• LambdaScanRunner uses AWS SDK and sts:AssumeRole for cross-account access, enumerates AWS resources, and invokes CIS audit routines.
• Each CIS rule is executed; pass/fail outcomes and associated metadata are recorded in DynamoDB.

A representative pseudocode for CIS rule mapping is:

for each category C selected by user: for each cisRule R in CIS_BENCHMARKS[C]: result ← executeAudit(R) storeInDB(scanId, R.id, R.category, result)

Compliance Scoring

• Overall compliance score: For $N_{\mathrm{total}}$ checks and $N_{\mathrm{pass}}$ passes,

$$\mathrm{ComplianceScore} = \frac{N_{\mathrm{pass}}}{N_{\mathrm{total}}} \times 100\%$$

• Category-wise score: For each category,

$$\mathrm{Score}_\mathrm{cat} = \frac{N_{\mathrm{pass,cat}}}{N_{\mathrm{total,cat}}} \times 100\%$$

These metrics drive the visualization and inform risk assessment.

4. Data Visualization and Graph Representation

Graph Model

GraphSecure internally represents compliance state as follows:

• Nodes: CIS controls (rule IDs), AWS resources, CIS categories (IAM, networking, logging, etc.).
• Edges: "applies_to" links each control to its resource(s); "belongs_to" links each control to its category.
• Attributes: Status (PASS/FAIL), timestamp, and inferred severity.

Visualization eschews node‐link diagrams in favor of standard chart types:

• Doughnut charts: Display category-level failure counts, with color gradients indicating pass/fail severity (red hues for FAIL, green for PASS).
• Bar charts: Track compliance trends over time.
• Tabular views: List raw pass/fail records with sortable columns, supporting drill-down by category, resource type, or date range.
• Interactive filters: Enable user-directed exploration of results.

No formal force-directed or spectral layouts are implemented. Category nodes are differentiated by color (e.g., blue for IAM, green for logging).

5. User Experience and Account Status Reporting

GraphSecure supports security operations workflows through a multi-page dashboard:

• Landing/dashboard: Displays a doughnut chart of failed benchmarks by category and current overall compliance score on login. Provides direct access to scan initiation and historical results.
• Scan launch interface: Users select desired CIS categories via checkboxes and trigger scan execution.
• Real-time feedback: Scan progress is tracked with a live timer and completion status.
• Historical drill-down: Tabular views summarize past scans (date, rules run, passed/failed counts, score). Detailed views enumerate failed rules, report failure timestamps and statuses, and present remediation steps aligned with official CIS rationale.
• Remediation guidance: Failed CIS checks link to step-by-step fix instructions, drawn verbatim from the relevant CIS control documentation.

An illustrative workflow is as follows:

1. Login reloads the dashboard with the latest compliance score.
2. User selects categories (e.g., "IAM" and "Logging") and initiates a scan.
3. Typical scan duration is 2–3 minutes for a mid-sized AWS account (∼100 resources).
4. Results update dynamically: "donut" chart reveals current failure distribution.
5. History view allows per-control inspection and remediation access.

6. System Performance Characteristics

While the paper does not supply quantitative benchmarks, the following performance characteristics are described:

• Scalability: Serverless orchestration allows near-linear scaling with the number of accounts.
• Scan duration: 2–4 minutes for 50–70 CIS rules per mid-sized AWS account.
• Front-end chart rendering: Completes in less than 500 ms on modern browsers.
• Data throughput: DynamoDB can handle write rates up to 1,000 records per second without throttling at default settings.

This suggests practical suitability for enterprise-scale, multi-account audit scenarios with interactive result feedback.

7. Limitations and Prospective Extensions

Stated and inferred limitations include:

• AWS exclusivity: No current support for Google Cloud Platform (GCP) or Azure.
• Static CIS rule library: Rule set is pegged to snapshot v1.0; updates require manual intervention.
• Chart-centric visualization: No topological graph analysis or rich dependency mapping.
• Event-driven scans: All scans are manually triggered; continuous monitoring is absent.

Suggested future enhancements are:

• Always-on compliance monitoring: Implementation via CloudWatch Events or EventBridge for continuous posture assessment.
• Multi-cloud integration: Extending to GCP (similarly to GoSecure) and Azure for consolidated compliance management.
• Dynamic CIS rule updates: Enabling automated import of new controls as CIS publishes updates.
• Graph database support: Adoption of solutions such as Amazon Neptune for advanced impact and “what-if” policy analysis.

Concluding Perspective

GraphSecure exemplifies an advanced, serverless AWS security scanning toolset tightly coupled with CIS Benchmark validation. Through automation, comprehensive visualization, and direct integration of remediation steps, it advances the field of cloud compliance assessment by emphasizing interactive, risk-centric intelligence over traditional audit log inspection (Zhao et al., 12 Dec 2025).