In part 1 of this of this two-part series, How to detect security issues in Amazon EKS cluster using Amazon GuardDuty, we walked through a real-world observed security issue in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster and saw how Amazon GuardDuty detected each phase by following MITRE ATT&CK tactics. In this blog post, […]
In this two-part blog post, we’ll discuss how to detect and investigate security issues in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon GuardDuty and Amazon Detective. Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run and scale container workloads by using Kubernetes in the AWS […]
Register now with discount code SALXTDVaB7y to get $150 off your full conference pass to AWS re:Inforce. For a limited time only and while supplies last. Today we’re going to highlight just some of the sessions focused on threat detection and incident response that are planned for AWS re:Inforce 2022. AWS re:Inforce is a learning […]
In the week leading up to AWS re:Invent 2021, we’ll share conversations we’ve had with people at AWS who will be presenting, and get a sneak peek at their work. How long have you been at Amazon Web Services (AWS), and what do you do in your current role? I’ve been at AWS nearly 4 […]
May 10, 2022: The Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper has been archived, so we have updated the link in this blog post accordingly. AWS recently released the Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) whitepaper. This whitepaper aligns the National Institute of […]
September 9, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details. Amazon GuardDuty is an automated threat detection service that continuously monitors for suspicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. In this post, I’ll share how you can use GuardDuty with […]
The Security Operations Center (SOC) has a tough job. As customers modernize and shift to cloud architectures, the ability to monitor, detect, and respond to risks poses different challenges. In this post we address how Amazon GuardDuty can address some common concerns of the SOC regarding the number of security tools and the overhead to […]
AWS recently released the AWS Security Incident Response whitepaper, to help you understand the fundamentals of responding to security incidents within your cloud environment. The whitepaper reviews how to prepare your organization for detecting and responding to security incidents, explores the controls and capabilities at your disposal, provides topical examples, and outlines remediation methods that […]
Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Given the many log types that Amazon GuardDuty analyzes (Amazon Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and DNS logs), you never know what it might discover in your […]
We’re relentlessly innovating on your behalf at AWS, especially when it comes to security. Last November, we launched Amazon GuardDuty, a continuous security monitoring and threat detection service that incorporates threat intelligence, anomaly detection, and machine learning to help protect your AWS resources, including your AWS accounts. Many large customers, including General Electric, Autodesk, and […]
Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.
Resources
Threat management in the cloud: Amazon GuardDuty and AWS Security Hub
Remediating Amazon GuardDuty and AWS Security Hub Findings
Centrally Monitoring Resource Configuration and Compliance
Setting up Amazon GuardDuty
AWS Security Hub
Amazon CloudWatch
Getting started: Amazon CloudWatch Logs
Amazon EventBridge
AWS Config
AWS Answers: Centralized Logging
Security Partner Solutions: Logging and Monitoring
Best Practices:
-
Configure service and application logging: Configure logging throughout the workload, including application logs, resource logs, and AWS service logs. For example, ensure that AWS CloudTrail, Amazon CloudWatch Logs, Amazon GuardDuty and AWS Security Hub are enabled for all accounts within your organization.
-
Analyze logs, findings, and metrics centrally: All logs, metrics, and telemetry should be collected centrally, and automatically analyzed to detect anomalies and indicators of unauthorized activity. A dashboard can provide you easy to access insight into real-time health. For example, ensure that Amazon GuardDuty and Security Hub logs are sent to a central location for alerting and analysis.
-
Automate response to events: Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. For example, automate responses to Amazon GuardDuty events by automating the first investigation step, then iterate to gradually remove human effort.
-
Implement actionable security events: Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For example, ensure that Amazon GuardDuty and AWS Security Hub alerts are sent to the team to action, or sent to response automation tooling with the team remaining informed by messaging from the automation framework.
Improvement Plan
Configure service and application logging
AWS Answers: native AWS security-logging capabilities
Getting started with CloudWatch Logs
Developer Tools/Log Analysis
Authentication and Access Control for Amazon CloudWatch
Identity and access management in Amazon S3
Amazon GuardDuty
Lab: Automated Deployment of Detective Controls
Creating a trail in CloudTrail
Lab: Automated Deployment of Detective Controls
AWS Config
Lab: Automated Deployment of Detective Controls
AWS Security Hub
Analyze logs, findings, and metrics centrally
Use Amazon Elasticsearch Service to log and monitor (almost) everything
Find a partner that specializes in logging and monitoring solutions
Configuring Athena to analyze CloudTrail logs
Centralize logging solution
Logging and Monitoring
Automate response to events
Lab: Automated Deployment of Detective Controls
Lab: Amazon GuardDuty hands on
Implement actionable security events
AWS service documentation
Using Amazon CloudWatch Metrics
Using Amazon CloudWatch Alarms