AWS Safety Monitoring in 2023: Untangle the chaos

AWS safety monitoring is a set of practices, instruments, and processes designed to detect and reply to safety threats and vulnerabilities throughout the Amazon Internet Companies (AWS) cloud setting. Sounds simple? On this weblog submit, I share how I take advantage of a range (however not all) of AWS companies to detect points rapidly and alert somebody in cost to unravel them.

Out there AWS companies

AWS is complicated. A number of companies are competing to your consideration once you attempt to perceive the fundamentals of safety monitoring. Let me untangle the chaos by grouping the associated AWS companies/capabilities into three teams (visually and textually). After that, I’ll current you my collection of AWS companies.

I got here up with the next three teams:

1. Sources of data: Present uncooked safety occasions or knowledge that we will analyze. Often, the quantity could be very excessive and overwhelming. Low-level findings additionally fall on this class.
2. Finest practices and anomaly detection: Create higher-level findings by analyzing uncooked safety occasions and knowledge utilizing predefined finest practices or machine studying to detect uncommon patterns.
3. Aggregation: Correlate and combination findings with all types of data and current them in a human-friendly method.

Some AWS companies belong to a number of teams. E.g., AWS Safety Hub checks for finest practices and aggregates occasions in a human-friendly method.

The next sources of data can be utilized to observe security-related exercise in your AWS Account:

• AWS API (present configuration of every useful resource will be requested)
• AWS Config configuration merchandise
• AWS CloudTrail administration and knowledge occasion
• Amazon VPC Movement Logs
• Amazon Route 53 DNS question logs
• AWS Well being occasion
• Amazon Inspector vulnerability discovering
• Amazon Macie delicate knowledge discovering
• Amazon ECR Primary scanning discovering
• AWS IoT Gadget Defender Detect discovering

The next AWS companies/capabilities test the above sources towards finest practices or to detect anomalies. The next desk lists the companies and the sources that they use.

Final however not least, AWS aggregates all the data in several companies. The next desk lists the companies and the sources that they use.

Choosing the precise AWS companies

Many AWS companies/capabilities overlap in what info they analyze and the checks they carry out. Examples:

• AWS Trusted Advisor, AWS Config Guidelines / Conformance Packs, and AWS Safety Hub Safety requirements all test should you observe predefined finest practices in your AWS account.
• Amazon Detective, AWS CloudTrail Perception, and Amazon GuardDuty analyze your CloudTrail knowledge to search out suspicious exercise.

When you mindlessly allow all of the companies, you pay for a similar test a number of occasions. However the subject worsens: Every service creates a discovering, however all seek advice from the identical drawback. For instance, should you make AWS Trusted Advisor, AWS Config Guidelines / Conformance Packs, AWS Safety Hub Safety requirements, and Amazon Macie create an S3 bucket public, a firework of findings. All of them inform you that the bucket is now public. However how do you handle this info overload? Amazon invented one other service to combination this info once more: Amazon Detective.

I recommend that you simply allow the next AWS companies/capabilities in your a delegated admin AWS Account (aka safety account, a function of AWS organizations) to test all of your AWS accounts in a single place:

• AWS Config with a retention interval of 1 yr in every area you employ.
• AWS Safety Hub with the AWS Foundational Safety Finest Practices (FSBP) normal enabled in every area you employ (AWS Safety Hub requires AWS Config).
• Non-compulsory: Amazon GuardDuty in every area you employ.
• Non-compulsory: Amazon Inspector in every area you employ.

By default, GuardDuty and Inspector ship findings to Safety Hub. Due to this fact, Safety Hub is your central place to work with findings. A discovering will be NEW, acknowledged (NOTIFIED), SUPPRESSED, or RESOLVED. To finish aim is to maintain the variety of findings low.

You possibly can disable AWS Safety Hub controls should you disagree with the “finest follow.”

Final, we should alert somebody in cost to deal with the discovering.

Incident Response

A discovering is the start, not the tip, of the safety incident response course of. As soon as a discovering is created, the method begins:

1. Alert the precise particular person.
2. Analyse discovering (analysis extra knowledge).
3. Repair subject.
4. Resolve discovering.

To alert the precise particular person, it’s important to perceive how Safety Hub publishes details about findings. Safety Hub publishes an occasion to EventBridge each time a discovering is created or up to date. When you adopted my recommendation to make use of a delegated admin AWS Account, the occasion is revealed within the supply (aka member) and delegated admin accounts. I like to recommend creating an EventBridge rule to hearken to new findings in every AWS member account (not the delegated admin). Assuming that you simply use AWS accounts to isolate workloads, there must be a relationship between the AWS account and a crew in cost that may be alerted when a brand new discovering arrives. Bear in mind to create an EventBridge rule in every area you employ.

The next Terraform snippet creates an EventBridge rule related to an SNS subject:

useful resource "aws_cloudwatch_event_rule" "security_hub_finding" {
  title          = "security-hub-finding"
  description   = "Findings (severity >= excessive) from AWS SecurityHub."
  event_pattern = 
{
  "supply": [ 
    "aws.securityhub"
  ],
  "detail-type": [
    "Security Hub Findings - Imported"
  ],
  "element": {
    "findings": {
      "Severity": {
        "Normalized": [{"numeric": [">=", 70]}]
      },
      "Workflow": {
        "Standing": [
          "NEW"
        ]
      },
      "RecordState": [
        "ACTIVE"
      ]
    }
  }
}
JSON
}

useful resource "aws_cloudwatch_event_target" "security_hub_finding" {
  rule      = aws_cloudwatch_event_rule.security_hub_finding.title
  target_id = "sns"
  arn       = "YOUR SNS TOPIC ARN"
}

There may be one subject with this method. So long as the standing is NEW, you’ll obtain an EventBridge occasion per discovering on daily basis. If this feels too spammy, write a Lambda perform to set the standing to NOTIFIED. Alternatively, you should utilize marbot, our AWS Monitoring chatbot. marbot creates the EventBridge rule for you and units the standing to NOTIFIED after you obtain an alert in Slack or Microsoft Groups in regards to the new discovering.

Abstract

Many AWS companies and capabilities are related when speaking about AWS Safety Monitoring. They overlap in what info they analyze and the checks they carry out. When you fastidiously choose the precise AWS companies, you may keep away from duplicate findings and prices whereas observing all of the security-relevant sources. Use AWS Safety Hub as your central place for AWS Safety Monitoring. Optionally, use GuardDuty and Inspector to feed extra insights into Safety Hub. Final, use EventBridge to ahead Safety Hub findings to the precise crew.