Skip to content

Other

GuardDuty

General Info
  • Threat detection service which uses ML to continuously monitor for malicious behaviour
    • Unusual API calls, calls from a known malicious IP
    • Attempts to disable CloudTrail logging
    • Unauthorized deployments
    • Compromised instances
    • Reconnaissance by attackers
    • Port scanning, failed logins
  • Use cases
    • Centralize threat detection across multiple AWS accounts
    • Automated response using CloudWatch Events and Lambda
    • Machine learning and anomaly detection
Characteristics
  • Features
    • Alerts appear in the GuardDuty console (90 days) and CloudWatch Events
    • Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
    • Monitors CloudTrail Logs, VPC Flow Logs, DNS Logs
  • Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default)
  • Regional: can aggregate via CloudWatch Events to push to a central store

Security Hub

General Info
  • Centralize security related alerts across accounts, and provides a UI for viewing these
  • The biggest limitation is it does not centralize alerts across regions, only across accounts
Characteristics
  • Regional (findings don't cross regions)
  • Multi-account support
  • Findings from:
    • Guard Duty
    • Config
    • Inspector
    • Macie
    • third party
    • self-generated against CIS standards

Audit Manager

General Info
  • Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit

Control Tower

General Info
  • It helps you create new accounts and establish a security baseline for AWS accounts
  • This cannot be used if you already use AWS Organizations or if you previously used Landing Zone

Inspector

General Info
  • Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
  • Automatically assessess applications for vulns or deviations from best practices
  • Monitor network/file system/process activity within the specified target
Characteristics
  • Template = Rules packages (predefined only), target EC2 instances, SNS topic
  • Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents)
  • Rules packages:
    • Common vulnerabilities and Exposures (CVEs)
    • CIS Benchmarks (OS Security Configuration)
    • Security Best Practices (OS config including remote access)
    • Runtime Behavior Analysis (protocols, ports, software config)
Deployment
  • Requirements
    • Agent required for host config
    • Service linked role to enumerate EC2 instances and network config
  • Setup
    • create "Assessment target"
    • install agents on EC2 instances
    • create "Assessment template"
    • perform "Assessment run"
    • review "Findings" against "Rules"

Detective

General Info
  • Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
  • Automatically correlates user activity without the need for you to enable, store, or retain logs manually

Trusted Advisor

Description
  • Makes recommendations on cost reductions, availability/performance, and security
  • Business/enterprise subscription for all features
  • Exclusions
    • Can exclude resources from all checks
    • Can't suppress individual checks

Checks

Categories Core Checks Security Checks
  1. Cost Optimization
  2. Security
  3. Fault Tolerance
  4. Performance
  5. Service Limits
  1. S3 Bucket Permissions
  2. Security Groups - Specific Ports Unrestricted
  3. IAM Use
  4. MFA on Root Account
  5. EBS Public Snapshots
  6. RDS Public Snapshots
  7. Service Limits
  • Security group open access to specific high-risk ports
  • Security group unrestricted access
  • Open write and List access to S3 buckets
  • MFA on root account
  • Overly permissive RDS security group
  • Use of cloudtrail
  • Route 53 MX records have SPF records
  • ELB with poor or missing HTTPS config
  • ELB security groups missing or overly permissive
  • CloudFront cert checks - expired, weak, misconfigured
  • IAM access keys not rotated in last 90 days
  • Exposed access keys on GitHub etc
  • Public EBS or RDS snapshots
  • Missing or weak IAM password policy

Macie

General Info
  • Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
  • Works directly with data stored in S3, but can also analyze CloudTrail logs
Characteristics
  • Monitors
    • Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
    • Watches policy and ACL changes
    • Watches access patterns via CloudTrail
  • Data classifications
    • by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
    • by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
    • by file extension (.bin, .c, .bat, .exe, .html, .sql)
    • by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)

  1. Revisiting Macie