If you’ve ever worked with AWS Security Hub, you know the feeling: thousands of security findings scattered across multiple accounts, buried in the AWS console, and no easy way to share them with your team. Sure, the data is there, but getting actionable insights? That’s a different story.
That’s why I built Prism.
What is Prism?
Prism is a CLI tool that transforms AWS Security Hub findings into something you can actually work with. Written in Go, it collects security findings from AWS and presents them in multiple formats—interactive HTML reports, JSON exports, CSV spreadsheets, Markdown documents, or colourised terminal output.
But it’s more than just a data formatter. Prism is designed around how security teams actually work: filtering by severity, grouping by AWS account, diving deep into specific controls, and sharing reports with stakeholders who don’t have AWS console access.
The Problem
AWS Security Hub is powerful. It aggregates findings from multiple security services (GuardDuty, Inspector, Macie, etc.) and third-party tools into a single place. But when you’re managing security across 10+ AWS accounts with thousands of findings, the console becomes unwieldy:
- No easy filtering: Want to see only CRITICAL and HIGH severity findings for a specific control? Good luck clicking through filters.
- Limited reporting: The built-in dashboards are fine, but try sharing that with your security team or compliance officer.
- API pagination nightmares: Programmatic access means dealing with pagination tokens and rate limits.
- No offline analysis: Every query hits the AWS API, which is slow and costs money.
How Prism Solves This
Smart Caching
Prism implements a two-tier caching system. When you run prism collect, it fetches all findings from AWS Security Hub and stores them locally in JSON files. Subsequent commands (summary, detail, report, etc.) work entirely from the cache—no AWS credentials required, no API calls, instant results.
Need fresh data? Use the --force flag to bypass the cache.
Multiple Views, Same Data
Once you’ve collected findings, you can slice and dice them however you need:
- Summary view: Overview of findings by severity, compliance status, and workflow state
- Detail view: Deep-dive into specific security controls with granular filtering
- Accounts view: Findings grouped by AWS account to identify which accounts need attention
- Controls view: All security controls with metrics on affected accounts and unresolved findings
- Resources view: Findings categorised by AWS resource type (EC2, S3, IAM, etc.)
Each view supports filtering by severity, account ID, workflow status, and compliance status.
Output Formats for Every Audience
Different stakeholders need different formats:
- Interactive HTML: Self-contained reports with dark mode, filterable tables, and charts. Perfect for sharing via email.
- Terminal output: ANSI-colourised summaries for quick command-line reviews
- JSON: Programmatically parseable for integration with other tools
- CSV: Import into Excel or Google Sheets for analysis
- Markdown: Document-friendly format for wikis or reports
Example Workflow
Here’s a typical workflow:
# Collect findings from AWS Security Hub
prism collect --dir ./findings --region ca-central-1 --profile production
# Generate a quick summary
prism summary --dir ./findings --severity-filter critical,high
# Deep-dive into a specific control
prism detail --control-id IAM.1 --filter-severity high,critical --dir ./findings
# Generate an HTML report for stakeholders
prism report --dir ./findings --output security-report.html
# Export to CSV for compliance documentation
prism export --dir ./findings --format csv --output findings.csv
Why I Built This
I was managing security across multiple AWS accounts and found myself constantly frustrated with Security Hub’s limitations. I needed:
- Offline analysis: Share findings with teams who don’t have AWS access
- Flexible filtering: Focus on what matters without clicking through console filters
- Shareable reports: Something I could send to non-technical stakeholders
- Speed: Analysing thousands of findings shouldn’t take minutes
Prism addresses all of these. It’s the tool I wish existed when I started working with Security Hub.
Technical Highlights
For those curious about the implementation:
- Written in Go: Fast, compiled binary with no runtime dependencies
- Clean architecture: Separation of concerns with interface-based design
- Well-tested: >76% test coverage with table-driven tests
- Idiomatic Go: Uses Cobra for CLI, AWS SDK v2, and Go’s standard library
- Smart control extraction: Automatically parses control IDs from AWS GeneratorId fields
- Self-contained HTML: Reports embed all CSS/JS, making them completely portable
The codebase follows my personal Go best practices: no third-party mocking libraries, business logic in the root package, CLI entrypoint in cmd/prism, and everything orchestrated with Go Task instead of Make.
Who Should Use Prism?
Prism is designed for:
- Security teams managing multi-account AWS environments
- DevOps engineers integrating security scanning into CI/CD pipelines
- Cloud compliance officers preparing audit reports
- AWS security architects conducting compliance reviews
- Security operations centres monitoring AWS environments
If you’re responsible for AWS security and drowning in Security Hub findings, Prism can help.
Get Started
Prism is open source and available on GitHub: github.com/scottbrown/prism
# Build from source
git clone https://github.com/scottbrown/prism.git
cd prism
task build
# The binary will be in ./.build/prism
You’ll need:
- Go 1.25+
- AWS credentials configured (for the
collectcommand) - IAM permissions:
securityhub:GetFindingsandsts:GetCallerIdentity
Check the README for detailed installation and usage instructions.
What’s Next?
Prism is actively maintained, and I have plans for a lot of features. If you try Prism, I’d love to hear your feedback. Open an issue on GitHub or reach out on social media.
AWS Security Hub is a powerful tool, but it shouldn’t be a black box. Prism makes your security findings accessible, actionable, and shareable. Give it a try and see how it fits into your security workflow.