Security Hub Findings Application v2.0

A comprehensive web interface for SOC agents to view AWS Security Hub findings without requiring direct AWS console access. Built with Angular, AWS Lambda, and deployed via Terraform.

🎉 Version 2.0 - Professional AWS Console-Style UI

Status: ✅ FULLY OPERATIONAL - Professional enterprise-grade interface deployed

🆕 New in v2.0 - Tier 1 Enterprise Console-Class UI

• ✅ AWS Console-Style Interface - Professional, enterprise-grade UI matching AWS Console design standards
• ✅ Advanced Data Tables - Dense, information-rich tables with virtual scrolling for 367+ findings
• ✅ Comprehensive Threat Intelligence - All GuardDuty behavioral analysis, network details, and anomaly detection properly organized
• ✅ Professional Filtering - Multi-criteria filtering with real-time updates and bulk operations
• ✅ Enhanced Finding Details - Tabbed interface with complete threat intelligence categorization
• ✅ Export Functionality - Professional CSV/JSON export with metadata
• ✅ Responsive Design - Desktop-optimized (1280px to 4K) with mobile considerations

🎨 Professional Design System

• ✅ Custom Angular Material Theme - AWS Console color palette with neutral grays
• ✅ Professional Typography - Segoe UI font family matching AWS standards
• ✅ 8px Grid System - Consistent spacing throughout the application
• ✅ Subtle Elevation - Professional shadows and borders
• ✅ Enterprise Components - Status chips, action menus, and professional cards

🔒 Security & Performance (v2.0)

• ✅ Zero Security Vulnerabilities - Updated to Angular 19.2.16 with all security patches
• ✅ Embedded Authentication - Cognito configuration embedded at build time for improved security and performance
• ✅ Optimized Bundle - 571KB initial bundle with lazy loading for optimal performance
• ✅ Professional Caching - Optimized CloudFront caching strategy

🏗️ Core Features (v1.0)

• ✅ Complete ENTRA (Azure AD) authentication integration
• ✅ Embedded Cognito configuration for simplified deployment
• ✅ Secure API Gateway with JWT authorization
• ✅ Real-time Security Hub findings display
• ✅ Automated deployment pipeline
• ✅ Comprehensive monitoring and logging

🏗️ Architecture

• Frontend: Angular 19 SPA with professional AWS Console-style Material Design theme
• Backend: Python Lambda functions with comprehensive error handling
• API: API Gateway with Cognito JWT authorization
• Storage: S3 with CloudFront CDN and Origin Access Identity
• DNS: Route 53 with custom domain and SSL certificate
• Monitoring: CloudWatch logs, X-Ray tracing, and detailed metrics
• Infrastructure: Terraform modules for reproducible deployments
• Security: Zero vulnerabilities with embedded authentication configuration
• UI/UX: Tier 1 Enterprise Console-Class interface matching AWS Console standards

Application Architecture on AWS

📁 Project Structure

├── frontend/                    # Angular 19 application
│   ├── src/app/
│   │   ├── core/               # Core services (auth, findings, open-cases)
│   │   │   └── services/       # Authentication, API & session services
│   │   ├── features/           # Feature modules (auth, findings)
│   │   │   ├── auth/          # Login, callback components
│   │   │   └── findings/      # Dashboard, detail, open-cases components
│   │   └── shared/            # Shared components & utilities
│   └── src/environments/      # Environment configurations
├── backend/
│   └── lambda/                # Python Lambda functions
│       ├── security_hub_processor.py  # Security Hub API integration
│       ├── error_handler.py           # Error handling utilities
│       └── test_*.py                  # Property-based tests
├── terraform/                 # Infrastructure as Code
│   ├── modules/              # Reusable Terraform modules
│   │   ├── s3/              # S3 + OAI + file uploads
│   │   ├── cloudfront/      # CDN with custom domain
│   │   ├── lambda/          # Lambda function + IAM
│   │   ├── api-gateway/     # REST API + Cognito auth
│   │   └── route53/         # DNS configuration
│   ├── frontend-dist/       # Built Angular artifacts (generated)
│   ├── main.tf             # Root configuration
│   ├── variables.tf        # Variable definitions
│   ├── outputs.tf          # Output values
│   └── terraform.tfvars    # Configuration values
├── deploy.sh                # Automated deployment script
├── AUTHENTICATION.md        # Authentication architecture guide
├── DEPLOYMENT.md           # Deployment instructions
├── ok.py                   # Reference Python implementation
└── .kiro/specs/           # Project specifications

🚀 Quick Start

Option 1: Automated Deployment (Recommended)

# Run the automated deployment script
./deploy.sh

The script will:

1. Check dependencies (Terraform, Node.js, AWS CLI)
2. Build the Angular frontend with production optimizations
3. Copy build artifacts to Terraform directory
4. Update frontend configuration with existing API Gateway ID (if available)
5. Create S3 bucket for Terraform state management
6. Deploy infrastructure via Terraform
7. Upload frontend files to S3 with proper content types and cache headers
8. Create CloudFront invalidation to clear cache
9. Provide deployment URLs and next steps

📋 Deployment Pipeline Details

Build Process Integration

The deployment pipeline seamlessly integrates the Angular build process with Terraform infrastructure deployment:

1. Frontend Build Phase

# Clear Angular cache for fresh build
rm -rf frontend/.angular/cache frontend/dist

# Install dependencies if needed
npm install

# Build production bundle with optimizations
npm run build:prod

Output: Optimized, minified files in frontend/dist/security-hub-findings-app/

2. Artifact Preparation

# Copy build artifacts to Terraform directory
cp -r frontend/dist/security-hub-findings-app/* terraform/frontend-dist/

Purpose: Makes build artifacts available to Terraform for S3 upload

3. Infrastructure Deployment

# Create Terraform state bucket (if needed)
aws s3api create-bucket --bucket security-hub-findings-terraform-state-bucket

# Deploy infrastructure
terraform init && terraform apply

Key Integration Points:

• Dynamic Configuration: API Gateway ID is injected into frontend files during deployment
• File Upload: All frontend files are uploaded to S3 with proper content types and cache headers
• Cache Management: CloudFront invalidation ensures users get the latest version

4. Configuration Injection Process

The pipeline includes an optimized configuration injection mechanism:

1. Build artifacts are copied to the Terraform directory
2. Deploy script checks for existing API Gateway ID from previous deployments
3. Configuration is updated before Terraform runs (eliminates timing issues)
4. Terraform deploys infrastructure and uploads pre-configured files
5. CloudFront cache is invalidated to serve updated files immediately

graph TD
    A[Angular Build] --> B[Copy to terraform/frontend-dist/]
    B --> C[Update Config with API Gateway ID]
    C --> D[Terraform Apply]
    D --> E[Create AWS Resources]
    E --> F[Upload Pre-configured Files to S3]
    F --> G[Invalidate CloudFront]
    G --> H[Application Ready]

Loading

Key Improvements:

• Eliminates timing conflicts between file modification and upload
• Consistent file hashes for reliable change detection
• Faster deployments with fewer Terraform resource dependencies
• More reliable configuration injection process

5. File Management Strategy

• Content Types: Automatically set based on file extensions (HTML, CSS, JS, ICO)
• Cache Headers: Optimized for performance:
  • HTML files: no-cache (always fresh)
  • CSS/JS files: max-age=31536000 (1 year cache)
  • Other files: max-age=3600 (1 hour cache)
• Change Detection: Uses consistent MD5 file hashes for reliable change detection
• Upload Optimization: Only modified files are uploaded to S3
• Configuration Timing: API Gateway ID injection happens before file upload (eliminates hash inconsistencies)

6. State Management

• Terraform State: Stored in dedicated S3 bucket with versioning and encryption
• Build Artifacts: Managed through Terraform for consistent deployments
• Configuration: Environment-specific settings injected at deployment time

Option 2: Manual Deployment

For more control over the deployment process:

1. Configure AWS credentials:

   aws configure

2. Set up Terraform variables:

   cp terraform/terraform.tfvars.example terraform/terraform.tfvars
   # Edit terraform.tfvars with your values

3. Build frontend:

   cd frontend
   npm install
   npm run build:prod
   cd ..

4. Prepare artifacts:

   # Copy build artifacts to Terraform directory
   cp -r frontend/dist/security-hub-findings-app/* terraform/frontend-dist/
   
   # Update configuration with API Gateway ID (if exists)
   cd terraform
   API_GATEWAY_ID=$(terraform output -raw api_gateway_id 2>/dev/null || echo "")
   if [ -n "$API_GATEWAY_ID" ]; then
     find ../terraform/frontend-dist -type f \( -name "*.js" -o -name "*.html" \) -exec sed -i "s/{{API_GATEWAY_ID}}/$API_GATEWAY_ID/g" {} \;
   fi
   cd ..

5. Create state bucket:

   aws s3api create-bucket --bucket security-hub-findings-terraform-state-bucket --region us-east-1
   aws s3api put-bucket-versioning --bucket security-hub-findings-terraform-state-bucket --versioning-configuration Status=Enabled

6. Deploy infrastructure:

   cd terraform
   terraform init
   terraform plan
   terraform apply

7. Invalidate CloudFront cache:

   aws cloudfront create-invalidation --distribution-id $(terraform output -raw cloudfront_distribution_id) --paths "/*"

🔄 Deployment Pipeline Architecture

Integration Flow

sequenceDiagram
    participant Dev as Developer
    participant Script as deploy.sh
    participant Angular as Angular CLI
    participant TF as Terraform
    participant AWS as AWS Services
    
    Dev->>Script: ./deploy.sh
    Script->>Angular: npm run build:prod
    Angular-->>Script: Build artifacts
    Script->>Script: Copy to terraform/frontend-dist/
    Script->>AWS: Create state bucket (if needed)
    Script->>TF: terraform init & apply
    TF->>AWS: Create infrastructure
    TF->>TF: Inject API Gateway ID
    TF->>AWS: Upload files to S3
    TF->>AWS: Create CloudFront invalidation
    AWS-->>Dev: Application ready

Loading

Key Components

1. Build System: Angular CLI with production optimizations
2. Configuration Management: Pre-deployment API endpoint injection (eliminates timing issues)
3. Infrastructure as Code: Terraform modules for AWS resources
4. Content Delivery: S3 + CloudFront with optimized caching
5. State Management: Remote state in S3 with versioning
6. Cache Invalidation: Automatic CloudFront cache clearing
7. Reliability: Consistent file hashing and change detection

🔗 API Documentation

Session Tracking Endpoints

The application includes comprehensive API endpoints for managing analyst session tracking:

Check Session Status

GET /findings/{findingId}/session/status
Authorization: Bearer {jwt-id-token}

Response:

{
  "hasActiveSession": true,
  "sessionExists": true,
  "openerEmail": "claudio@chinicz.com",
  "openTimestamp": "2026-01-04T12:59:02.537Z",
  "resolverEmail": "",
  "resolutionTimestamp": "",
  "findingId": "extracted-finding-id"
}

Start Session Tracking

POST /findings/{findingId}/session/start
Authorization: Bearer {jwt-id-token}
Content-Type: application/json

{
  "findingId": "f64d5ee8-6f7a-48e8-9b59-12a750361",
  "analystEmail": "analyst@company.com",
  "timestamp": "2024-12-29T10:30:00Z"
}

Response:

{
  "statusCode": 200,
  "message": "Session started successfully"
}

End Session Tracking

POST /findings/{findingId}/session/end
Authorization: Bearer {jwt-id-token}
Content-Type: application/json

{
  "findingId": "f64d5ee8-6f7a-48e8-9b59-12a750361",
  "status": "RESOLVED",
  "resolverEmail": "analyst@company.com",
  "timestamp": "2024-12-29T11:45:00Z"
}

Response:

{
  "statusCode": 200,
  "message": "Session ended successfully"
}

CORS Architecture in API Gateway

/findings Resource (Main Findings Operations):

1. GET /findings - Retrieve findings list with session data
2. PUT /findings - Update workflow status and end sessions
3. OPTIONS /findings - CORS preflight for the above methods

/findings/{proxy+} Resource (Session Tracking):

1. GET /findings/{proxy+} - Session status checks (e.g., /findings/arn:aws:.../session/status)
2. POST /findings/{proxy+} - Session start/end (e.g., /findings/arn:aws:.../session/start)
3. OPTIONS /findings/{proxy+} - CORS preflight for session endpoints

CORS Headers Configuration:

Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,Accept,Origin,Referer
Access-Control-Allow-Methods: GET,PUT,POST,OPTIONS,DELETE
Access-Control-Allow-Credentials: false

The OPTIONS methods handle browser preflight requests that occur before actual API calls, ensuring proper cross-origin access from the frontend domain to the API Gateway domain.

Enhanced Findings Endpoint

The existing /findings endpoint now includes session information:

GET /findings
Authorization: Bearer {jwt-id-token}

Enhanced Response:

{
  "findings": [
    {
      "id": "f64d5ee8-6f7a-48e8-9b59-12a750361",
      "title": "S3 bucket encryption not enabled",
      "severity": "HIGH",
      "status": "NEW",
      "description": "S3 bucket does not have encryption enabled",
      "resources": [...],
      "activeSession": {
        "analystEmail": "analyst@company.com",
        "openedAt": "2024-12-29T10:30:00Z"
      }
    },
    {
      "id": "another-finding-id",
      "title": "Another security finding",
      "severity": "CRITICAL",
      "status": "NEW",
      "description": "Another security issue",
      "resources": [...]
      // No activeSession field means no analyst is currently reviewing
    }
  ]
}

Session Data Model

DynamoDB Workflow_Tracker Table Schema

{
  "finding_id": "f64d5ee8-6f7a-48e8-9b59-12a750361",
  "opener_email": "analyst1@company.com",
  "open_timestamp": "2024-12-29T10:30:00Z",
  "resolver_email": "analyst1@company.com",
  "resolution_timestamp": "2024-12-29T11:45:00Z",
  "ttl": 1735574700
}

Key Features:

• Primary Key: finding_id (extracted from Security Hub ARN)
• Global Secondary Indexes:
  • analyst-email-index on opener_email
  • resolver-email-index on resolver_email
• TTL: Automatic cleanup of old records
• Active Sessions: Records without resolution_timestamp

Authentication Requirements

All session tracking endpoints require:

• JWT ID Token in Authorization header
• Valid Cognito User Pool token with email claim
• API Gateway Cognito Authorizer validation

Error Handling

The session tracking system includes comprehensive error handling:

Graceful Degradation

• If DynamoDB is unavailable, findings retrieval continues without session data
• Session tracking failures don't affect core finding display functionality
• Error responses include detailed messages for troubleshooting

Common Error Responses

// Invalid finding ID format
{
  "statusCode": 400,
  "error": "Invalid finding ID format"
}

// DynamoDB service error
{
  "statusCode": 500,
  "error": "Session tracking temporarily unavailable"
}

// Unauthorized access
{
  "statusCode": 401,
  "error": "Invalid or expired token"
}

⚙️ Configuration

Required AWS Resources

Before deployment, ensure you have:

1. Cognito User Pool with these settings:

   • Client ID: 4a2vb2k79v0niig5o1vj6vev00
   • Client Secret: Required for Basic Authentication
   • Domain: https://us-east-14qcl4rqho.auth.us-east-1.amazoncognito.com
   • Scopes: aws.cognito.signin.user.admin email openid phone profile
   • Authentication Flow: Authorization Code Grant with client secret
   • Identity Providers: Supports ENTRA (Azure AD) integration

2. SSL Certificate in ACM (us-east-1):

   • ARN: arn:aws:acm:us-east-1:641484007123:certificate/4255f88a-5222-4983-b877-c55358ed5e44

3. Route 53 Hosted Zone for chinicz.com

Terraform Variables

Update terraform/terraform.tfvars:

aws_region    = "us-east-1"
environment   = "prod"
project_name  = "security-hub-findings"

# Custom domain configuration
domain_name         = "aws.sechub.findings.chinicz.com"
ssl_certificate_arn = "arn:aws:acm:us-east-1:641484007123:certificate/4255f88a-5222-4983-b877-c55358ed5e44"

# Cognito configuration
cognito_user_pool_arn = "arn:aws:cognito-idp:us-east-1:641484007123:userpool/us-east-1_XXXXXXXXX"
cognito_client_id     = "4a2vb2k79v0niig5o1vj6vev00"

🔧 Development

Frontend Development

cd frontend
npm install
npm start  # Development server on http://localhost:4200

Authentication Configuration:

• Embedded Cognito configuration: Client credentials embedded at build time for improved security and performance
• No external API dependencies: Authentication works without additional API calls to fetch configuration
• ID Token Usage: Uses ID tokens for API Gateway calls (critical for authorization)
• Uses Basic Authentication (RFC 7617) for token exchange with embedded client secret
• Automatic token refresh with 15-minute expiration handling
• ENTRA (Azure AD) integration support
• Build-time configuration injection for optimal security

Backend Development

cd backend/lambda
pip install -r requirements.txt
python -m pytest test_*.py  # Run property-based tests

Lambda Configuration:

• Security Hub Function: Main API handler with Security Hub read permissions
• Python 3.9 runtime with AWS SDK
• X-Ray tracing enabled for both functions
• CloudWatch structured logging
• Minimal IAM permissions for security

Testing

The project includes comprehensive property-based tests:

# Frontend tests
cd frontend && npm test

# Backend property-based tests
cd backend/lambda && python -m pytest test_*.py -v

# Infrastructure tests
cd terraform/modules/s3 && python -m pytest test_s3_security.py -v

🌟 Features

🆕 Version 2.3 Features

Open Cases Dashboard

• 📋 Dedicated Open Cases Page - Centralized view of all findings currently being reviewed by analysts
• 🔍 Active Session Management - Real-time display of which analysts are working on which findings
• 📊 Session Analytics - Track session duration, analyst workload, and case resolution patterns
• 🎯 Quick Navigation - Direct links from Open Cases to detailed finding views
• 📈 Workload Distribution - Visual indicators of analyst activity and case assignments
• 🔄 Real-time Updates - Automatic refresh of open cases status with existing 60-second cycle

Enhanced Navigation & User Experience

• 🧭 Improved Navigation - New "Open Cases" button in main dashboard header
• 🔗 Seamless Integration - Smooth navigation between findings dashboard and open cases view
• 📱 Consistent Design - Open Cases page follows same AWS Console-style design standards
• ⚡ Performance Optimized - Efficient API calls and data management for open cases

🆕 Version 2.2 Features

Finding ID Resolution & API Improvements

• 🔧 Complete ARN Support - Fixed finding detail links to work with complete Security Hub ARNs
• 🌐 URL Decoding - Proper handling of URL-encoded finding IDs in navigation
• 🎯 Direct API Queries - Eliminated dependency on "last 100 findings" window for finding details
• 🔄 Persistent Links - Finding detail links now work regardless of finding age (within 90-day retention)
• ⚡ Improved Performance - Direct Security Hub API queries instead of search-based lookups

🆕 Version 2.1 Features

Real-time Session Tracking

• 🔄 Analyst Session Management - Track which analysts are currently reviewing specific findings
• 🚫 Duplicate Work Prevention - Visual indicators prevent multiple analysts from working on the same critical/high findings
• 👥 Active Session Display - Red email indicators show which analyst is currently reviewing each finding
• 📋 Complete Audit Trail - Full tracking of who opened and resolved findings with timestamps
• ⚡ Real-time Updates - Session information updates automatically with existing 60-second refresh cycle
• 🗄️ Persistent Storage - Session data stored in DynamoDB with automatic cleanup via TTL

Enhanced API Endpoints

• 🔗 Session Tracking API - New endpoints for starting and ending finding review sessions
• 📊 Enriched Findings Data - Existing /findings endpoint now includes active session information
• 🏢 Open Cases API - New /open-cases endpoint for retrieving active analyst sessions
• � BEackward Compatibility - All existing functionality preserved while adding session features
• 🛡️ Error Handling - Graceful degradation when session tracking is unavailable

🆕 Version 2.0 Features

Professional AWS Console-Style UI

• 🎨 Tier 1 Enterprise Console-Class - Custom Angular Material theme with AWS Console design standards
• 📊 Professional Data Tables - Dense, information-rich tables with virtual scrolling for large datasets
• 🎯 Advanced Filtering - Multi-criteria filtering with real-time updates and bulk operations
• 📱 Responsive Design - Desktop-optimized interface (1280px to 4K) with professional styling
• 🎛️ Professional Components - Status chips, action menus, and enterprise-grade cards

Comprehensive Threat Intelligence Display

• 🔍 Complete Data Organization - All GuardDuty threat intelligence properly categorized and displayed
• 🌐 Network Information - IP addresses, geolocation, ISP details, and ASN information
• 🤖 Behavioral Analysis - Profiled behavior patterns and historical analysis
• ⚠️ Anomaly Detection - Unusual patterns and anomalous behavior identification
• 🔧 Action Details - API calls, authentication methods, and service interactions

Enhanced Finding Details View

• 📑 Tabbed Organization - Overview, Threat Intelligence, and Resources tabs
• 📋 Two-Column Layout - Main content area with professional sidebar
• 🏷️ Complete Resource Information - All resource details with tags and properties
• 📊 Professional Cards - Clean, organized information display with consistent styling
• 🔗 AWS Console Integration - Direct links to AWS console for detailed investigation

Advanced Data Management

• 💾 Professional Export - CSV and JSON export with metadata and timestamps
• 🔄 Bulk Operations - Multi-select with batch status updates
• 📈 Performance Optimized - Virtual scrolling for 367+ findings
• 🎯 Smart Filtering - Real-time filtering with clear status indicators

Security Features

• 🔐 AWS Cognito JWT authentication with embedded configuration for enhanced security
• 🎯 ID Token Authorization: Uses ID tokens for API Gateway (critical implementation detail)
• 🛡️ API Gateway with Cognito User Pool authorizer
• 🔒 Private S3 bucket with Origin Access Identity
• 🌐 HTTPS-only access with custom SSL certificate
• ⚡ Embedded Authentication: Build-time configuration injection eliminates external API dependencies
• 📊 Comprehensive logging and monitoring

Application Features

• 📱 Professional AWS Console-style Angular Material Design interface
• 🔄 Real-time findings display with 60-second auto-refresh
• 🔍 Advanced filtering with multi-criteria support (Enhanced in v2.0)
• 📋 Professional finding details with comprehensive threat intelligence (Redesigned in v2.0)
• 💾 Professional export functionality with CSV/JSON options (Enhanced in v2.0)
• 📊 Open Cases Dashboard for active session management (New in v2.3)
• 🎯 Direct finding navigation with persistent links (Fixed in v2.2)
• ⚡ Optimized performance with CloudFront CDN and virtual scrolling
• 🎯 Property-based testing for reliability
• 🎨 Tier 1 Enterprise Console-Class UI (New in v2.0)

Monitoring & Observability

• 📈 CloudWatch detailed metrics and custom dashboards
• 🔍 X-Ray distributed tracing for API Gateway and Lambda
• 📝 Structured logging with request correlation IDs
• 🚨 Error tracking and alerting capabilities

📋 Changelog

Version 2.3.0 (January 2025) - Open Cases Dashboard

📊 Open Cases Management System

• Dedicated Open Cases Dashboard: New centralized page for managing active analyst sessions

  • Accessible via "Open Cases" button in main dashboard header
  • Real-time display of all findings currently being reviewed by analysts
  • Professional AWS Console-style interface matching main dashboard design

• Enhanced Session Visibility: Comprehensive view of analyst activity

  • Session duration tracking with real-time updates
  • Analyst workload distribution and case assignment overview
  • Quick navigation from open cases to detailed finding views
  • Visual indicators for session status and analyst activity

• Improved Navigation & User Experience: Seamless integration with existing interface

  • New routing configuration for /open-cases endpoint
  • Consistent design language across all dashboard components
  • Optimized API calls for efficient open cases data retrieval
  • Enhanced user workflow for case management

🔧 Infrastructure Enhancements

• New API Endpoint: /open-cases for retrieving active sessions
  • Dedicated service for open cases data management
  • Integration with existing session tracking infrastructure
  • Backward compatibility maintained for all existing functionality

Version 2.2.0 (January 2025) - Finding ID Resolution & Console Error Fixes

🔄 Real-time Session Tracking System

• Analyst Session Management: Track which analysts are currently reviewing specific findings

  • Automatic session start when opening finding details
  • Session end tracking when changing finding status to RESOLVED/SUPPRESSED
  • Real-time session display with visual indicators (red email text)

• Duplicate Work Prevention: Prevent multiple analysts from working on same critical/high findings

  • Visual indicators show active sessions in findings list
  • Complete audit trail for accountability and compliance
  • Automatic session cleanup with TTL for data management

• Enhanced API Endpoints: New session tracking functionality

  • GET /findings/{id}/session/status - Check session status for a finding
  • POST /findings/{id}/session/start - Start analyst session tracking
  • POST /findings/{id}/session/end - End session with resolution data
  • Enhanced GET /findings - Now includes active session information
  • Backward compatibility maintained for existing functionality

🗄️ Infrastructure Enhancements

• DynamoDB Workflow Tracker: New table for session audit trail

  • Primary key on finding_id for efficient lookups
  • Global Secondary Indexes for analyst queries
  • TTL enabled for automatic data cleanup
  • Integrated with existing Terraform infrastructure

• API Gateway CORS Improvements: Enhanced cross-origin support

  • Added GET method to /findings/{proxy+} for session status checks
  • Comprehensive CORS headers for all session tracking endpoints
  • Proper OPTIONS preflight handling for all endpoints

🔧 Console Error Fixes & Improvements

• Reduced Console Noise: Cleaned up verbose logging in session tracking

  • Removed excessive debug logging (🔍 emojis and verbose token logs)
  • Silent handling of expected 404 errors (no session exists)
  • Only log unexpected errors, not normal flow scenarios

• CORS Error Resolution: Fixed cross-origin request blocking

  • Added missing GET method for session status endpoint
  • Proper CORS preflight handling for all session endpoints
  • Eliminated "Access-Control-Allow-Origin header is present" errors

🔒 Security & Reliability

• Graceful Error Handling: Session tracking failures don't affect core functionality
  • Findings display continues even if session tracking is unavailable
  • Comprehensive error logging and monitoring
  • Proper JWT token validation for all session endpoints

Version 2.1.0 (January 2025)

🔄 Real-time Session Tracking System

• Analyst Session Management: Track which analysts are currently reviewing specific findings

  • Automatic session start when opening finding details
  • Session end tracking when changing finding status to RESOLVED/SUPPRESSED
  • Real-time session display with visual indicators (red email text)

• Duplicate Work Prevention: Prevent multiple analysts from working on same critical/high findings

  • Visual indicators show active sessions in findings list
  • Complete audit trail for accountability and compliance
  • Automatic session cleanup with TTL for data management

• Enhanced API Endpoints: New session tracking functionality

  • POST /findings/{id}/session/start - Start analyst session tracking
  • POST /findings/{id}/session/end - End session with resolution data
  • Enhanced GET /findings - Now includes active session information
  • Backward compatibility maintained for existing functionality

🗄️ Infrastructure Enhancements

• DynamoDB Workflow Tracker: New table for session audit trail

  • Primary key on finding_id for efficient lookups
  • Global Secondary Indexes for analyst queries
  • TTL enabled for automatic data cleanup
  • Integrated with existing Terraform infrastructure

• Enhanced Deployment Pipeline: Updated deployment script

  • Automatic DynamoDB table verification
  • Enhanced schema validation and status reporting
  • Comprehensive deployment feedback with session tracking status
  • Backward compatibility ensured throughout deployment process

🔒 Security & Reliability

• Graceful Error Handling: Session tracking failures don't affect core functionality
  • Findings display continues even if session tracking is unavailable
  • Comprehensive error logging and monitoring
  • Proper JWT token validation for all session endpoints

Version 2.0.0 (December 2025)

🎨 Professional AWS Console-Style UI

• Tier 1 Enterprise Console-Class Interface: Complete UI redesign following AWS Console design standards

  • Custom Angular Material theme with AWS Console color palette
  • Professional typography with Segoe UI font family
  • 8px grid system for consistent spacing
  • Subtle elevation and shadows matching AWS design language

• Advanced Data Tables: Professional, dense information display

  • Virtual scrolling capability for large datasets (367+ findings)
  • Multi-criteria filtering with real-time updates
  • Bulk selection and batch operations
  • Sortable columns with professional styling

• Comprehensive Threat Intelligence Display: All GuardDuty data properly organized

  • Network Information (IP addresses, geolocation, ISP details)
  • Behavioral Analysis (profiled behavior patterns, historical analysis)
  • Anomaly Detection (unusual patterns and anomalous behavior)
  • Action Details (API calls, authentication methods, service interactions)

🔒 Security & Performance Improvements

• Embedded Authentication: Cognito configuration embedded at build time for enhanced security

  • Eliminated external API dependencies for configuration
  • Improved performance with no runtime configuration calls
  • Enhanced security by removing configuration endpoints

• Zero Vulnerabilities: Complete security cleanup

  • Updated Angular from v17 to v19.2.16
  • Fixed 21 vulnerabilities (11 high, 6 moderate, 4 low)
  • Updated all dependencies to secure versions
  • Enhanced build security with latest tools

🛠️ Enhanced Features

• Professional Export: CSV and JSON export with metadata and timestamps
• Advanced Filtering: Multi-criteria filtering with status indicators
• Responsive Design: Desktop-optimized (1280px to 4K) with mobile considerations
• Performance Optimization: Lazy loading and optimized bundle size

Version 1.0.0 (Initial Release)

• Complete ENTRA (Azure AD) authentication integration
• Dynamic Cognito configuration fetching
• Secure API Gateway with JWT authorization
• Real-time Security Hub findings display
• Automated deployment pipeline
• Comprehensive monitoring and logging

🌐 Access URLs

After deployment:

• Main Application: https://aws.sechub.findings.chinicz.com
• Open Cases Dashboard: https://aws.sechub.findings.chinicz.com/open-cases
• CloudFront: https://{distribution-id}.cloudfront.net
• API Gateway: https://{api-id}.execute-api.us-east-1.amazonaws.com/prod

� Securoity & Vulnerability Management

Version 2.0 Security Improvements

Previous State (v1.0):

• ❌ 21 total vulnerabilities (11 high, 6 moderate, 4 low)
• ❌ Angular 17 with known security issues
• ❌ Outdated dependencies with security flaws

Current State (v2.0):

• ✅ 0 vulnerabilities - Complete security cleanup
• ✅ Angular 19.2.16 - Latest stable with all security patches
• ✅ Updated Dependencies - All packages updated to secure versions

Key Security Fixes Applied

Angular Framework Updates

# Updated from vulnerable versions to secure versions
@angular/common: ^17.0.0 → ^19.2.16    # Fixed XSRF Token Leakage
@angular/compiler: ^17.0.0 → ^19.2.16  # Fixed Stored XSS vulnerability
@angular/core: ^17.0.0 → ^19.2.16      # Multiple security patches

Dependency Security Updates

• zone.js: Updated to v0.15.0 for Angular 19 compatibility
• TypeScript: Updated to v5.6.0 for security and compatibility
• Build Tools: Updated webpack, esbuild, and other build dependencies
• Development Dependencies: Updated all dev tools to secure versions

Vulnerability Categories Addressed

1. High Severity (11 fixed):

   • Angular XSRF Token Leakage via Protocol-Relative URLs
   • Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
   • Multiple dependency chain vulnerabilities

2. Moderate Severity (6 fixed):

   • esbuild development server vulnerabilities
   • http-proxy-middleware security issues
   • webpack-dev-server source code exposure risks

3. Low Severity (4 fixed):

   • Various dependency security improvements

Security Verification

# Verify zero vulnerabilities
npm audit
# Output: found 0 vulnerabilities

# Check Angular version
ng version
# Output: Angular CLI: 19.2.16, Angular: 19.2.16

Ongoing Security Practices

• 🔄 Regular Updates - Automated dependency scanning
• 🛡️ Security Audits - Pre-deployment vulnerability checks
• 📊 Monitoring - Continuous security monitoring in production
• 🔒 Best Practices - Following Angular security guidelines

🔍 Monitoring

CloudWatch Logs

• API Gateway Access Logs: /aws/apigateway/security-hub-findings/access-logs
• API Gateway Execution Logs: API-Gateway-Execution-Logs_{api-id}/prod
• Lambda Logs: /aws/lambda/security-hub-findings-security-hub-function

X-Ray Tracing

• Service Map: View request flow from API Gateway → Lambda → Security Hub
• Trace Analysis: Identify performance bottlenecks and errors
• Error Analysis: Root cause analysis for failed requests

🛠️ Troubleshooting

Common Issues

1. Build Errors: Ensure Node.js >= 18 and run npm install
2. Terraform Errors: Check AWS credentials and permissions
3. Authentication Issues: Verify Cognito configuration and scopes
4. API Errors: Check CloudWatch logs and X-Ray traces
5. Configuration Issues: Ensure API Gateway ID is properly injected into frontend files
6. Cache Issues: Wait 2-3 minutes after deployment for CloudFront invalidation to complete

Deployment Pipeline Issues

Problem: Files not updating after deployment Solution:

# Force CloudFront invalidation
aws cloudfront create-invalidation --distribution-id $(cd terraform && terraform output -raw cloudfront_distribution_id) --paths "/*"

# Hard refresh browser (Ctrl+F5 or Cmd+Shift+R)

Problem: API Gateway ID not found in frontend Status: ✅ RESOLVED - API Gateway ID properly injected Current API Gateway ID: rshuboi4oh

Verification Commands:

# 1. Verify API Gateway ID injection worked
grep -r "{{API_GATEWAY_ID}}" terraform/frontend-dist/
# Should return no results (no placeholders remaining)

# 2. Confirm correct API Gateway ID is present
grep -r "rshuboi4oh" terraform/frontend-dist/
# Should find the API Gateway ID in JavaScript files

# 3. Test deployed application
curl -s https://aws.sechub.findings.chinicz.com/main.*.js | grep -o "rshuboi4oh"
# Should return the API Gateway ID

# 4. Verify application functionality
# Visit https://aws.sechub.findings.chinicz.com
# Should load correctly and allow authentication

If issues arise in future deployments:

# Manual update process (if needed)
cd terraform
find frontend-dist -type f \( -name "*.js" -o -name "*.html" \) -exec sed -i "s/{{API_GATEWAY_ID}}/rshuboi4oh/g" {} \;
aws s3 sync frontend-dist/ "s3://$(terraform output -raw app_bucket_name)/" --delete
aws cloudfront create-invalidation --distribution-id $(terraform output -raw cloudfront_distribution_id) --paths "/*"

Problem: Authentication fails with "Configuration not found" Solution: Verify embedded Cognito configuration:

# Verify build process embedded configuration correctly
cd frontend
npm run build
# Check that environment files contain proper Cognito configuration

# Ensure application was built with correct environment
# Client ID: 4a2vb2k79v0niig5o1vj6vev00
# User Pool ID: us-east-1_4QCl4RqHO

Problem: API Gateway returns 401 Unauthorized for /findings Status: ✅ RESOLVED - Application working correctly in v2.0

Solution Applied:

• ✅ Authentication flow works correctly with embedded configuration
• ✅ ID tokens are properly generated and used for API calls
• ✅ Auth interceptor correctly uses ID tokens (not access tokens)
• ✅ API Gateway Cognito authorizer accepts valid ID tokens
• ✅ Frontend configuration properly injected with API Gateway ID
• ✅ CloudFront serves updated files correctly
• ✅ Professional UI displays comprehensive threat intelligence

Verification Commands:

# 1. Verify API Gateway ID is correctly injected in frontend
cd terraform && terraform output -raw api_gateway_id
# Returns: rshuboi4oh

# 2. Confirm frontend files have correct API Gateway ID
curl -s https://aws.sechub.findings.chinicz.com/main.*.js | grep -o "rshuboi4oh"
# Should return the API Gateway ID

# 3. Test application functionality
# Visit https://aws.sechub.findings.chinicz.com
# Authentication should work immediately with embedded configuration

# 4. Verify successful authentication and API calls
# Visit https://aws.sechub.findings.chinicz.com
# Login with ENTRA credentials
# Should see professional Security Hub findings interface with comprehensive data

Problem: ENTRA (Azure AD) authentication issues Solution:

1. Verify ENTRA redirect URI: https://us-east-14qcl4rqho.auth.us-east-1.amazoncognito.com/oauth2/idpresponse
2. Check attribute mapping in Cognito Identity Provider settings
3. Ensure ENTRA app has correct scopes: openid email profile

Useful Commands

# Check Terraform state
terraform show

# View CloudWatch logs
aws logs tail /aws/lambda/security-hub-findings-security-hub-function --follow

# Test API Gateway
curl -H "Authorization: Bearer {jwt-token}" https://{api-id}.execute-api.us-east-1.amazonaws.com/prod/findings

# Invalidate CloudFront cache
aws cloudfront create-invalidation --distribution-id {distribution-id} --paths "/*"

✅ Verification & Testing

Successful Deployment Verification

After running ./deploy.sh, verify the application is working:

1. Authentication Flow:

   # Authentication uses embedded configuration - no API calls needed
   # Visit application URL and test login flow directly

2. Application Access:

   • Visit: https://aws.sechub.findings.chinicz.com
   • Click "Sign In with AWS Cognito"
   • Complete ENTRA authentication
   • ✅ Security Hub findings are displayed successfully

3. Browser Dev Tools Verification:

   • Network Tab: /findings requests return 200 OK with Security Hub data
   • Console: Shows "Auth Interceptor: Adding Authorization header with ID token"
   • Application → Session Storage: Contains security_hub_tokens with all three tokens (access, ID, refresh)

4. Token Verification:

   # Decode ID token from session storage
   python3 test_jwt.py <ID_TOKEN>
   # Should show: "token_use": "id" and correct issuer

Key Success Indicators

• ✅ Application loads with embedded Cognito configuration
• ✅ ENTRA authentication completes successfully
• ✅ API Gateway accepts ID tokens and returns Security Hub findings
• ✅ Lambda functions execute without errors
• ✅ Security Hub findings are displayed in the UI

Application Status - v1.0 (API Gateway ID: rshuboi4oh)

• Authentication: ✅ Working - Users can successfully authenticate via ENTRA
• Token Generation: ✅ Working - ID tokens are properly generated and stored
• Frontend Configuration: ✅ Working - API Gateway ID properly injected in deployed files
• API Authorization: ✅ Working - API Gateway Cognito authorizer accepts valid ID tokens
• Security Hub Integration: ✅ Working - Lambda successfully fetches and returns findings
• Cache Management: ✅ Working - CloudFront serves updated files correctly

📚 Additional Resources

Documentation

• Authentication Architecture - Detailed authentication flow and configuration
• Deployment Guide - Step-by-step deployment instructions
• Open Cases User Guide - Complete guide for using the Open Cases dashboard
• Session Tracking User Guide - Guide for analyst session management
• AWS Security Hub Documentation
• Angular Material Components
• Terraform AWS Provider

Authentication & Security

• OAuth 2.0 Authorization Code Grant
• Basic Authentication (RFC 7617)
• AWS Cognito User Pool
• ENTRA (Azure AD) Integration

Development & Testing

• Property-Based Testing Guide
• Angular Testing
• AWS Lambda Python

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Run tests: npm test and python -m pytest
4. Submit a pull request

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.