Which AWS service provides threat detection by monitoring for malicious activities?

Which AWS service provides threat detection by monitoring for malicious activities?

In part 1 of this of this two-part series, How to detect security issues in Amazon EKS cluster using Amazon GuardDuty, we walked through a real-world observed security issue in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and saw how Amazon GuardDuty detected each phase by following MITRE ATT&CK tactics. In this blog post, […]

Which AWS service provides threat detection by monitoring for malicious activities?

In this two-part blog post, we’ll discuss how to detect and investigate security issues in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon GuardDuty and Amazon Detective. Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run and scale container workloads by using Kubernetes in the AWS […]

Which AWS service provides threat detection by monitoring for malicious activities?

Register now with discount code SALXTDVaB7y to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. Today we’re going to highlight just some of the sessions focused on threat detection and incident response that are planned for AWS re:Inforce 2022. AWS re:Inforce is a learning […]

Which AWS service provides threat detection by monitoring for malicious activities?

In the week leading up to AWS re:Invent 2021, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at Amazon Web Services (AWS), and what do you do in your current role? I’ve been at AWS nearly 4 […]

Which AWS service provides threat detection by monitoring for malicious activities?

May 10, 2022: The Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper has been archived, so we have updated the link in this blog post accordingly. AWS recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. This whitepaper aligns the National Institute of […]

Which AWS service provides threat detection by monitoring for malicious activities?

September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. Amazon GuardDuty is an automated threat detection service that continuously monitors for suspicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. In this post, I’ll share how you can use GuardDuty with […]

Which AWS service provides threat detection by monitoring for malicious activities?

The Security Operations Center (SOC) has a tough job. As customers modernize and shift to cloud architectures, the ability to monitor, detect, and respond to risks poses different challenges. In this post we address how Amazon GuardDuty can address some common concerns of the SOC regarding the number of security tools and the overhead to […]

Which AWS service provides threat detection by monitoring for malicious activities?

AWS recently released the AWS Security Incident Response whitepaper, to help you understand the fundamentals of responding to security incidents within your cloud environment. The whitepaper reviews how to prepare your organization for detecting and responding to security incidents, explores the controls and capabilities at your disposal, provides topical examples, and outlines remediation methods that […]

Which AWS service provides threat detection by monitoring for malicious activities?

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Given the many log types that Amazon GuardDuty analyzes (Amazon Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and DNS logs), you never know what it might discover in your […]

Which AWS service provides threat detection by monitoring for malicious activities?

We’re relentlessly innovating on your behalf at AWS, especially when it comes to security. Last November, we launched Amazon GuardDuty, a continuous security monitoring and threat detection service that incorporates threat intelligence, anomaly detection, and machine learning to help protect your AWS resources, including your AWS accounts. Many large customers, including General Electric, Autodesk, and […]

Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.

Resources

Threat management in the cloud: Amazon GuardDuty and AWS Security Hub
Remediating Amazon GuardDuty and AWS Security Hub Findings
Centrally Monitoring Resource Configuration and Compliance
Setting up Amazon GuardDuty
AWS Security Hub
Amazon CloudWatch
Getting started: Amazon CloudWatch Logs
Amazon EventBridge
AWS Config
AWS Answers: Centralized Logging
Security Partner Solutions: Logging and Monitoring

Best Practices:

  • Configure service and application logging: Configure logging throughout the workload, including application logs, resource logs, and AWS service logs. For example, ensure that AWS CloudTrail, Amazon CloudWatch Logs, Amazon GuardDuty and AWS Security Hub are enabled for all accounts within your organization.

  • Analyze logs, findings, and metrics centrally: All logs, metrics, and telemetry should be collected centrally, and automatically analyzed to detect anomalies and indicators of unauthorized activity. A dashboard can provide you easy to access insight into real-time health. For example, ensure that Amazon GuardDuty and Security Hub logs are sent to a central location for alerting and analysis.

  • Automate response to events: Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. For example, automate responses to Amazon GuardDuty events by automating the first investigation step, then iterate to gradually remove human effort.

  • Implement actionable security events: Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For example, ensure that Amazon GuardDuty and AWS Security Hub alerts are sent to the team to action, or sent to response automation tooling with the team remaining informed by messaging from the automation framework.

Improvement Plan

Configure service and application logging

  • Enable logging of AWS services: Enable the logging of AWS services to meet your requirements. Logging capabilities include the following: VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs.
    AWS Answers: native AWS security-logging capabilities
  • Evaluate and enable logging of operating systems and application-specific: Evaluate and enable logging of operating systems and application-specific logs to detect suspicious behavior.
    Getting started with CloudWatch Logs
    Developer Tools/Log Analysis
  • Apply appropriate controls to the logs: Logs can contain sensitive information and only authorized users should have access. Consider restricting permissions to S3 buckets and CloudWatch Logs log groups.
    Authentication and Access Control for Amazon CloudWatch
    Identity and access management in Amazon S3
  • Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously looks for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts to email using the lab.
    Amazon GuardDuty
    Lab: Automated Deployment of Detective Controls
  • Configure customized trail in CloudTrail: Configuring a trail enables you to store logs for longer than the default period, and analyze them later.
    Creating a trail in CloudTrail
    Lab: Automated Deployment of Detective Controls
  • Enable AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were previously configured so that you can see how the configurations and relationships change over time.
    AWS Config
    Lab: Automated Deployment of Detective Controls
  • Enable AWS Security Hub: AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your compliance with the security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
    AWS Security Hub
  • Analyze logs, findings, and metrics centrally

  • Evaluate log processing capabilities: Evaluate the options that are available for processing logs
    Use Amazon Elasticsearch Service to log and monitor (almost) everything
    Find a partner that specializes in logging and monitoring solutions
  • As a start for analyzing CloudTrail logs, test Amazon Athena
    Configuring Athena to analyze CloudTrail logs
  • Implement centralize logging in AWS: AWS example solution to centralize logging from multiple sources.
    Centralize logging solution
  • Implement centralize logging with partner: APN Partners have solutions to help you analyze logs centrally.
    Logging and Monitoring
  • Automate response to events

  • Implement automated alerting with Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts.
    Lab: Automated Deployment of Detective Controls
  • Automate investigation processes: Develop automated processes that investigate an event and report information to an administrator to save time.
    Lab: Amazon GuardDuty hands on
  • Implement actionable security events

  • Discover metrics available for AWS services: Discover the metrics that are available through CloudWatch for the services that you are using.
    AWS service documentation
    Using Amazon CloudWatch Metrics
  • Configure Amazon CloudWatch alarms: .
    Using Amazon CloudWatch Alarms