Other
GuardDuty¶
- Analyzes selected logs to produce observable records of suspicious activities (
findings
)- VPC Flow Logs (does not require you to enable VPC Flow Logs)
- CloudTrail (does not require you to create a trail)
- DNS queries (from VPC DNS resolvers)
- Regional: can aggregate via CloudWatch Events to push to a central store
- Based on threat intelligence (IP addresses and domain-based lists) and machine learning
- Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
- Sample malicious behaviour flagged
- Unusual API calls, calls from a known malicious IP
- Attempts to disable CloudTrail logging
- Unauthorized deployments
- Compromised instances
- Reconnaissance by attackers
- Port scanning, failed logins
Components¶
Component | Description |
---|---|
Detector |
|
Finding |
|
Master Account |
|
Delivery of Findings¶
Type | Description |
---|---|
Archive |
|
GuardDuty Console | Last 90 days |
S3 |
|
CloudWatch Events | Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default) |
Inspector¶
- Evaluates the security status of EC2, ECR, Lambda
- Automatically assesses applications for vulns or deviations from best practices
- Uses automated reasoning to analyze network access policies and alert about breaches
Information gathering¶
Gathering Level | Assessment Type | Description |
---|---|---|
Network | Network Assessment | Network reachability = enumerates what ports are accessible from outside of a VPC (+ what process listening on those ports, with agents) |
OS & apps | Host Assessment |
|
Components¶
Component | Description |
---|---|
Rule |
|
Rule Packages |
|
Assessment Target | List of EC2 instances (can filter by tags) |
Assessment Template |
![]() |
Assessment Run | Contains results (findings ) of each Assessment Template run |
Finding |
|
Delivery of Findings¶
Delivery Type | Description |
---|---|
PDF/HTML Report |
|
Stream |
|
Security Hub¶
- Centralize security related alerts across accounts, and provides a UI for viewing these
- The biggest limitation is it does not centralize alerts across regions, only across accounts
- Findings from:
- GuardDuty
- Config
- Inspector
- Macie
- Firewall Manager
- IAM Access Analyzer
- third party
- self-generated against CIS standards
Components¶
Component | Description |
---|---|
Security Standard |
|
Workflow |
|
Insights | Filters and groupings that allow to see affected resources in groups to facilitate analysis |
Delivery¶
- Security Hub integrates with EventBridge at two levels
- EventBridge captures in the
default
bus the findings reported by Security Hub - Configure custom actions
- Configure a unique ID related to a custom action name, and a custom action to execute
- Security Hub will report an event to EventBridge, sending the findings or insights information in conjunction with an attribute to distinguish this event as a custom action and another attribute including the custom action's unique ID
- EventBridge captures in the
- You can apply a custom action for up to
20
findings and up to100
resource identifiers (from insights) at the same time
Remediation¶
Approach | Description |
---|---|
Manual | |
Semi-Automatic | Use predefined custom actions |
Automatic |
|
Detective¶
- General Info
-
- Continuously extracts temporal events such as login attempts, API calls, and network traffic from GuardDuty, CloudTrail, and VPC Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment
- Automatically correlates user activity without the need for you to enable, store, or retain logs manually
Trusted Advisor¶
- Makes recommendations on cost reductions, rlieability, performance, and security
- Monitors how close you are to reaching service limits
- Need a business/enterprise subscription for all features
- Operations
- Checks resources throughout all regions
- It is enabled or disabled at the account level
- Exclusions
- Can exclude resources from all checks
- Can't suppress individual checks
Checks
Categories | Core Checks | Security Checks |
---|---|---|
|
|
|
Macie¶
- General Info
-
- Security service which uses machine learning and NLP (natural language processing) to discover, classify and protect sensitive data stored in S3
- Works directly with data stored in S3, but can also analyze CloudTrail logs
- Characteristics
-
- Monitors
- Personally Identifiable Information (PII), Personal Health Information (PHI), regulatory documents (legal, financial), API keys and secret key material
- Watches policy and ACL changes
- Watches access patterns via CloudTrail
- Data classifications
- by Content Type (JSON, PDF, Excel, TAR/ZIP, source code, XML)
- by Theme (AMEX/Visa/Mastercard card keywords, banking/financial keywords, hacker and web exploitation keywords)
- by file extension (.bin, .c, .bat, .exe, .html, .sql)
- by regular expression (aws_secret_key, RSA private key, SWIFT code, Cisco Router Config)
- Monitors
Audit Manager¶
- General Info
-
- Provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit
Control Tower¶
- General Info
-
- It helps you create new accounts and establish a security baseline for AWS accounts
- This cannot be used if you already use AWS Organizations or if you previously used Landing Zone