Finding the needle in the haystack
If you have been following this series on security from this first blog you will understand various remediation steps completed to remove unauthorized user access from the 'unprepared' AWS account.
I have been monitoring daily usage to identify any new Amazon Sagemaker Canvas charges from user 'michael-c' from region US-East-(N.Virginia).
From inspecting the daily AWS Cost Explorer dashboard in the section unblended costs, there were no new Amazon Sagemaker charges incurred in region US-East-1 after the implementation of Amazon Guard Duty and Trusted Advisor.
In this blog post you will learn how the combination of Amazon Guard Duty and AWS Security Hub work in harmony to quickly protect your AWS accounts against suspicious activity, with the ability to identify unauthorized user access, monitor any unusual API calls and reduce surprise bills.
Solution overview
After enabling Amazon GuardDuty and AWS Security Hub, the AWS Trusted Advisor high risk recommendations were implemented as remediation actions. As a result, there were no further unauthorized user access or any new Amazon Sagemaker Canvas usage charges in US-East-region after 21 July 2022. This is a quick win as you can see from the diagram below.
I upgraded my AWS Support Plan from Basic to Developer so that I could access 7 core AWS Trusted Advisor recommendations for best practice with a price of $29 per month.
You may also implement the Business or Enterprise AWS Support plan if you would like to subscribe and pay for the full-access to all of the Trusted Advisor best practice recommendations. Here is a link to the different AWS Support Plans that you may select for your test and production workloads.
Amazon GuardDuty
Amazon GuardDuty uses machine learning to provide intelligent threat intelligence by continuously monitoring and providing protection for AWS accounts and workloads:
- IAM access to S3 buckets
- AWS accounts and Users via CloudTrail
- Kubernetes Container protection
- VPC Flow logs
There are no charges incurred during your 30 day trial period with the AWS Free Tier.
AWS GuardDuty will analyze any anomalies, identify any threats and generate a report of findings to help you remediate and prioritize any detected threats.
Security Pillar
The Security Pillar is part of the AWS Well-Architected Framework that helps you to build AWS workloads that consider the architectural best practices to meet business and regulatory obligations.
High Level Architecture
The AWS GuardDuty architecture diagram, describes a workflow from the quick start initial set up through to producing report findings.
AWS Trusted Advisor
Is a centralized area to receive best practice recommendations for your account to help you save money and maximize the performance of your resources such as removing underutilized EC2 instances.
Recommendations focus on the areas of:
- Cost optimization
- Performance
- Security
- Fault Tolerance
- Service Limits
With an AWS Business or Enterprise Support Plan you will receive full checks for Trusted Advisor.
AWS Security Hub
Provides a centralized view of insights for all of your AWS resources across multiple regions and produces findings of security alerts by providing a classification from high, medium and low risk using the services:
- Amazon GuardDuty
- Amazon Inspector
- Amazon Macie
- Amazon Trusted Advisor
- Other optional integrations
AWS Security Hub will provide a list of security findings that you can investigate and then remediate according to best practice guidelines.
Tutorial 1: Enabling AWS GuardDuty
Step 1: Sign into the AWS Management console with your Admin IAM user account.
Step 2: On the search bar type 'AWS GuardDuty'
Step 3: On the AWS GuardDuty homepage click Get Started
Step 4: Click Enable GuardDuty
Step 5: Enter your 12 digit AWS account number
Step 6: There are no charges to AWS GuardDuty during a 30 day free trial with AWS Free Tier.
Step 7: After AWS GuardDuty is enabled, wait for 10 minutes before you start receiving findings from GuardDuty.
Step 7: AWS GuardDuty provides S3 data protection, enables the listing of trusted IP addresses, includes a new feature for kubernetes protection and also supports AWS Organizations for your accounts.
Tutorial 2: Enabling AWS Trusted Advisor
Step 1: Sign into to your AWS account using use Root account details.
Step 2: Navigate to Amazon Trusted Advisor
Step 3: A warning message to upgrade AWS Support Plan
You will need to upgrade your Amazon Support Plan from Basic to Developer. The Developer Support Plan will allow you to access 7 core AWS Trusted Advisor best practice recommendations on security checks and service limits.
Step 4: Select the Developer option to upgrade the AWS Support Plan and click Next.
Step 5: You will receive a message via a pop-up window to confirm the success of AWS Trusted Advisor which has been enabled on your account.
Step 6: Wait 15 minutes to receive AWS Trusted Advisor recommendations from AWS Security Hub.
Service Limit checks
Tutorial 3: Enabling AWS Security Hub
Please complete the steps to enable AWS Security Hub by completing the lab from the AWS Well-Architected Labs
Please refer to the documentation to troubleshoot AWS Config for AWS Security Hub.
Once AWS Security Hub is enabled, you may view insights from the dashboard for your AWS resources.
AWS re:Invent 2019: Prepare for & respond to security incidents in your AWS environment (SEC356) with Nathan Case and Paul Hawkins.
Join us for AWS re:Inforce conference 2022
Next week is AWS re:Inforce conference, 26-27 July 📆
A learning conference on compliance, privacy and identity 🔐🛠️
• Register to watch the keynote & sessions streamed live online 📺 or join the AWS Community in person in Boston.
• Link: https://reinforce.awsevents.com
Hot off the press 🚀: Tutorial 4: Enabling AWS GuardDuty Malware Detection
🔒 NEW - At AWS re:Inforce 2022 the latest announcement was the release of AWS GuardDuty Malware Detection to scan an EC2 instance or container workload.
Step 1: Navigate to your existing AWS GuardDuty dashboard start the 30 day free trial for Malware Detection.
Step 2: Click Enable
Step 3: Click Enable Malware Protection
Step 4: You will receive confirmation that Malware detection was successfully created on your AWS account.
Until the next lesson, happy learning! 🙂
Top comments (0)