Other
GuardDuty¶
- General Info
-
- Threat detection service which uses ML to continuously monitor for malicious behaviour
- Unusual API calls, calls from a known malicious IP
- Attempts to disable CloudTrail logging
- Unauthorized deployments
- Compromised instances
- Reconnaissance by attackers
- Port scanning, failed logins
- Use cases
- Centralize threat detection across multiple AWS accounts
- Automated response using CloudWatch Events and Lambda
- Machine learning and anomaly detection
- Threat detection service which uses ML to continuously monitor for malicious behaviour
- Characteristics
-
- Features
- Alerts appear in the GuardDuty console (90 days) and CloudWatch Events
- Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
- Monitors CloudTrail Logs, VPC Flow Logs, DNS Logs
- Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default)
- Regional: can aggregate via CloudWatch Events to push to a central store
- Features
Security Hub¶
- General Info
-
- Centralize security related alerts across accounts, and provides a UI for viewing these
- The biggest limitation is it does not centralize alerts across regions, only across accounts
- Characteristics
-
- Regional (findings don't cross regions)
- Multi-account support
- Findings from:
- Guard Duty
- Config
- Inspector
- Macie
- third party
- self-generated against CIS standards
Audit Manager¶
- General Info
-
- Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit
Control Tower¶
- General Info
-
- It helps you create new accounts and establish a security baseline for AWS accounts
- This cannot be used if you already use AWS Organizations or if you previously used Landing Zone
Inspector¶
- General Info
-
- Automated security assessment service that helps improve the security and compliance of applications deployed on AWS
- Automatically assessess applications for vulns or deviations from best practices
- Monitor network/file system/process activity within the specified target
- Characteristics
-
- Template = Rules packages (predefined only), target EC2 instances, SNS topic
- Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents)
- Rules packages:
- Common vulnerabilities and Exposures (CVEs)
- CIS Benchmarks (OS Security Configuration)
- Security Best Practices (OS config including remote access)
- Runtime Behavior Analysis (protocols, ports, software config)
- Deployment
-
- Requirements
- Agent required for host config
- Service linked role to enumerate EC2 instances and network config
- Setup
- create "Assessment target"
- install agents on EC2 instances
- create "Assessment template"
- perform "Assessment run"
- review "Findings" against "Rules"
- Requirements
Detective¶
- General Info
-
- Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
- Automatically correlates user activity without the need for you to enable, store, or retain logs manually
Trusted Advisor¶
- Description
-
- Makes recommendations on cost reductions, availability/performance, and security
- Business/enterprise subscription for all features
- Exclusions
- Can exclude resources from all checks
- Can't suppress individual checks
Checks
Categories | Core Checks | Security Checks |
---|---|---|
|
|
|
Macie¶
- General Info
-
- Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
- Works directly with data stored in S3, but can also analyze CloudTrail logs
- Characteristics
-
- Monitors
- Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
- Watches policy and ACL changes
- Watches access patterns via CloudTrail
- Data classifications
- by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
- by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
- by file extension (.bin, .c, .bat, .exe, .html, .sql)
- by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)
- Monitors