Skip to content

Other

GuardDuty

  • Analyzes selected logs to produce observable records of suspicious activities (findings)
    • VPC Flow Logs (does not require you to enable VPC Flow Logs)
    • CloudTrail (does not require you to create a trail)
    • DNS queries (from VPC DNS resolvers)
  • Regional: can aggregate via CloudWatch Events to push to a central store
  • Based on threat intelligence (IP addresses and domain-based lists) and machine learning
    • Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
  • Sample malicious behaviour flagged
    • Unusual API calls, calls from a known malicious IP
    • Attempts to disable CloudTrail logging
    • Unauthorized deployments
    • Compromised instances
    • Reconnaissance by attackers
    • Port scanning, failed logins

Components

Component Description
Detector
  • Consumes information and generates findings within a specific AWS account and region
  • Suspension:
    • GuardDuty allows you to disable or suspend the detector in an account, on a per-region basis
    • Suspending a detector stops the detection of new findings but keeps information about previously detected findings
    • Disabling a detector stops the detection and deletes all related findings
Finding
  • Attributes
    • ID
    • time of the finding
    • severity
    • finding type
    • affected resources
    • action details
  • Naming convention: name contains, in order
    1. Threat purpose (objective of the attack)
    2. Resource type affected by the suspicious activity
    3. Threat family name and variant (optional)
    4. Artifact (type of resource owned by the attacker)
Master Account
  • The master account receives findings from other (member) accounts
  • Has the capability to:
    • manage (enable, disable, or suspend) the detectors
    • manage the findings workflow (archive and create suppression rules)
    • configure threat lists for member accounts

Delivery of Findings

Type Description
Archive
  • You can automatically send findings to an archive by creating suppression rules
  • Each suppression rule is represented by a filter
  • When a finding matches the filter, the finding is automatically marked as archived
GuardDuty Console Last 90 days
S3
  • GuardDuty will export active findings (not suppressed) within 5m of its first occurrence
  • If an active finding receives recurrent events, you can configure how frequently those events are reported (every 15m, 1h, 6h)
  • Exported files of findings are encrypted by KMS
CloudWatch Events Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default)

Inspector

  • Evaluates the security status of EC2, ECR, Lambda
  • Automatically assesses applications for vulns or deviations from best practices
  • Uses automated reasoning to analyze network access policies and alert about breaches

Information gathering

Gathering Level Assessment Type Description
Network Network Assessment Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents)
OS & apps Host Assessment
  • Monitors file system/processes
  • Via an Amazon Inspector Agent (requires linked role to enumerate EC2 instances and network config)

Components

Component Description
Rule
  • Predefined security check to evaluate against an EC2
  • Severity levels: high, medium, low, informational
Rule Packages
  • Collection of rules
  • Examples:
    • Common vulnerabilities and Exposures (CVEs)
    • CIS Benchmarks (OS Security Configuration)
    • Security Best Practices (OS config including remote access)
    • Runtime Behavior Analysis (protocols, ports, software config)
Assessment Target List of EC2 instances (can filter by tags)
Assessment Template
  • Defines which Rule Packages run on which Assessment Target
  • Can be run multiple times
Assessment Run Contains results (findings) of each Assessment Template run
Finding
  • Stored as a JSON
  • Each contains:
    • Severity
    • Date of discovery
    • Description
    • Recommendations

Delivery of Findings

Delivery Type Description
PDF/HTML Report
  • Can be generated for each assessment run
  • Inspector collects instances' telemetry data in JSON-formatted files and stores them in an Inspector-owned S3 bucket
  • You cannot access these files (after a 30-day retention period they are automatically deleted)
Stream
  • Define an SNS topic in the assessment template
  • The topic will receive notifications when a finding is reported and when an assessment run starts, finishes, or changes its state

Security Hub

  • Centralize security related alerts across accounts, and provides a UI for viewing these
  • The biggest limitation is it does not centralize alerts across regions, only across accounts
  • Findings from:
    • GuardDuty
    • Config
    • Inspector
    • Macie
    • Firewall Manager
    • IAM Access Analyzer
    • third party
    • self-generated against CIS standards

Components

Component Description
Security Standard
  • A list of security controls and the definition of how those should be configured
  • Security Hub compares the current environment status with the expected controls the security standard establishes
    • Change-triggered checks: run when a change in the monitored resource is detected (requires the resource to be supported by AWS Config)
    • Scheduled checks: periodic check no later than 12h after the last execution
  • As a result of the comparison, Security Hub produces a verdict of compliance for each of the controls
Workflow
  • Describes a series of stages in which a finding can be positioned at any point in time
  • Finding attributes:
    • WorkflowStatus: New, Notified, Suppressed, Resolved
    • RecordState: Active, Archived
Insights Filters and groupings that allow to see affected resources in groups to facilitate analysis

Delivery

  • Security Hub integrates with EventBridge at two levels
    1. EventBridge captures in the default bus the findings reported by Security Hub
    2. Configure custom actions
      • Configure a unique ID related to a custom action name, and a custom action to execute
      • Security Hub will report an event to EventBridge, sending the findings or insights information in conjunction with an attribute to distinguish this event as a custom action and another attribute including the custom action's unique ID
  • You can apply a custom action for up to 20 findings and up to 100 resource identifiers (from insights) at the same time

Remediation

Approach Description
Manual
Semi-Automatic Use predefined custom actions
Automatic
  • All findings from Security Hub generate CloudWatch Events
  • From the Amazon CloudWatch Events console, you can create a rule using Security Hub as the service name and setting Security Hub Findings - Imported as Event Type

Detective

General Info
  • Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
  • Automatically correlates user activity without the need for you to enable, store, or retain logs manually

Trusted Advisor

  • Makes recommendations on cost reductions, rlieability, performance, and security
  • Monitors how close you are to reaching service limits
  • Need a business/enterprise subscription for all features
  • Operations
    • Checks resources throughout all regions
    • It is enabled or disabled at the account level
    • Exclusions
      • Can exclude resources from all checks
      • Can't suppress individual checks

Checks

Categories Core Checks Security Checks
  1. Cost Optimization
  2. Security
  3. Fault Tolerance
  4. Performance
  5. Service Limits
  1. S3 Bucket Permissions
  2. Security Groups - Specific Ports Unrestricted
  3. IAM Use
  4. MFA on Root Account
  5. EBS Public Snapshots
  6. RDS Public Snapshots
  7. Service Limits
  • Security group open access to specific high-risk ports
  • Security group unrestricted access
  • Open write and List access to S3 buckets
  • MFA on root account
  • Overly permissive RDS security group
  • Use of cloudtrail
  • Route 53 MX records have SPF records
  • ELB with poor or missing HTTPS config
  • ELB security groups missing or overly permissive
  • CloudFront cert checks - expired, weak, misconfigured
  • IAM access keys not rotated in last 90 days
  • Exposed access keys on GitHub etc
  • Public EBS or RDS snapshots
  • Missing or weak IAM password policy

Macie

General Info
  • Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
  • Works directly with data stored in S3, but can also analyze CloudTrail logs
Characteristics
  • Monitors
    • Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
    • Watches policy and ACL changes
    • Watches access patterns via CloudTrail
  • Data classifications
    • by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
    • by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
    • by file extension (.bin, .c, .bat, .exe, .html, .sql)
    • by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)

Audit Manager

General Info
  • Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit

Control Tower

General Info
  • It helps you create new accounts and establish a security baseline for AWS accounts
  • This cannot be used if you already use AWS Organizations or if you previously used Landing Zone

  1. Revisiting Macie