DEV Community

Cover image for Amazon GuardDuty and AWS Security Hub - Incident response with the help of detective controls
Wendy Wong for AWS Community Builders

Posted on • Updated on

Amazon GuardDuty and AWS Security Hub - Incident response with the help of detective controls

cost explorer

Finding the needle in the haystack

If you have been following this series on security from this first blog you will understand various remediation steps completed to remove unauthorized user access from the 'unprepared' AWS account.

I have been monitoring daily usage to identify any new Amazon Sagemaker Canvas charges from user 'michael-c' from region US-East-(N.Virginia).

From inspecting the daily AWS Cost Explorer dashboard in the section unblended costs, there were no new Amazon Sagemaker charges incurred in region US-East-1 after the implementation of Amazon Guard Duty and Trusted Advisor.

usage

In this blog post you will learn how the combination of Amazon Guard Duty and AWS Security Hub work in harmony to quickly protect your AWS accounts against suspicious activity, with the ability to identify unauthorized user access, monitor any unusual API calls and reduce surprise bills.

Solution overview

After enabling Amazon GuardDuty and AWS Security Hub, the AWS Trusted Advisor high risk recommendations were implemented as remediation actions. As a result, there were no further unauthorized user access or any new Amazon Sagemaker Canvas usage charges in US-East-region after 21 July 2022. This is a quick win as you can see from the diagram below.

no new charges

I upgraded my AWS Support Plan from Basic to Developer so that I could access 7 core AWS Trusted Advisor recommendations for best practice with a price of $29 per month.

You may also implement the Business or Enterprise AWS Support plan if you would like to subscribe and pay for the full-access to all of the Trusted Advisor best practice recommendations. Here is a link to the different AWS Support Plans that you may select for your test and production workloads.

Amazon GuardDuty

Amazon GuardDuty uses machine learning to provide intelligent threat intelligence by continuously monitoring and providing protection for AWS accounts and workloads:

  • IAM access to S3 buckets
  • AWS accounts and Users via CloudTrail
  • Kubernetes Container protection
  • VPC Flow logs

There are no charges incurred during your 30 day trial period with the AWS Free Tier.

AWS GuardDuty will analyze any anomalies, identify any threats and generate a report of findings to help you remediate and prioritize any detected threats.

Security Pillar

The Security Pillar is part of the AWS Well-Architected Framework that helps you to build AWS workloads that consider the architectural best practices to meet business and regulatory obligations.

High Level Architecture

The AWS GuardDuty architecture diagram, describes a workflow from the quick start initial set up through to producing report findings.

architecture

AWS Trusted Advisor

Is a centralized area to receive best practice recommendations for your account to help you save money and maximize the performance of your resources such as removing underutilized EC2 instances.

Recommendations focus on the areas of:

  • Cost optimization
  • Performance
  • Security
  • Fault Tolerance
  • Service Limits

With an AWS Business or Enterprise Support Plan you will receive full checks for Trusted Advisor.

AWS Security Hub

summary hub

Provides a centralized view of insights for all of your AWS resources across multiple regions and produces findings of security alerts by providing a classification from high, medium and low risk using the services:

  • Amazon GuardDuty
  • Amazon Inspector
  • Amazon Macie
  • Amazon Trusted Advisor
  • Other optional integrations

security standards

AWS Security Hub will provide a list of security findings that you can investigate and then remediate according to best practice guidelines.

secutity

Tutorial 1: Enabling AWS GuardDuty

Step 1: Sign into the AWS Management console with your Admin IAM user account.

Step 2: On the search bar type 'AWS GuardDuty'

Step 3: On the AWS GuardDuty homepage click Get Started

get started

Step 4: Click Enable GuardDuty

enable guard duty

Step 5: Enter your 12 digit AWS account number

enter account number

Step 6: There are no charges to AWS GuardDuty during a 30 day free trial with AWS Free Tier.

free trialn

Step 7: After AWS GuardDuty is enabled, wait for 10 minutes before you start receiving findings from GuardDuty.

Finsings

Step 7: AWS GuardDuty provides S3 data protection, enables the listing of trusted IP addresses, includes a new feature for kubernetes protection and also supports AWS Organizations for your accounts.

s3 protection

Tutorial 2: Enabling AWS Trusted Advisor

Step 1: Sign into to your AWS account using use Root account details.

root account

Step 2: Navigate to Amazon Trusted Advisor

nvigate

Step 3: A warning message to upgrade AWS Support Plan

You will need to upgrade your Amazon Support Plan from Basic to Developer. The Developer Support Plan will allow you to access 7 core AWS Trusted Advisor best practice recommendations on security checks and service limits.

implement

suppport plan

Idev

Step 4: Select the Developer option to upgrade the AWS Support Plan and click Next.

optionn

Step 5: You will receive a message via a pop-up window to confirm the success of AWS Trusted Advisor which has been enabled on your account.

Image description

Step 6: Wait 15 minutes to receive AWS Trusted Advisor recommendations from AWS Security Hub.

Security checks
security check

Service Limit checks

service

IAMn

Tutorial 3: Enabling AWS Security Hub

Please complete the steps to enable AWS Security Hub by completing the lab from the AWS Well-Architected Labs

Please refer to the documentation to troubleshoot AWS Config for AWS Security Hub.

Once AWS Security Hub is enabled, you may view insights from the dashboard for your AWS resources.

insights

AWS re:Invent 2019: Prepare for & respond to security incidents in your AWS environment (SEC356) with Nathan Case and Paul Hawkins.

Join us for AWS re:Inforce conference 2022

Next week is AWS re:Inforce conference, 26-27 July 📆

A learning conference on compliance, privacy and identity 🔐🛠️

• Register to watch the keynote & sessions streamed live online 📺 or join the AWS Community in person in Boston.

• Link: https://reinforce.awsevents.com

Reinforce

Hot off the press 🚀: Tutorial 4: Enabling AWS GuardDuty Malware Detection

🔒 NEW - At AWS re:Inforce 2022 the latest announcement was the release of AWS GuardDuty Malware Detection to scan an EC2 instance or container workload.

Step 1: Navigate to your existing AWS GuardDuty dashboard start the 30 day free trial for Malware Detection.

30

Step 2: Click Enable

trial

Step 3: Click Enable Malware Protection

Enable Mal

Step 4: You will receive confirmation that Malware detection was successfully created on your AWS account.

success

Until the next lesson, happy learning! 🙂

Resources

Amazon GuardDuty

AWS Security Hub

AWS Trusted Advisor

Enabling and configuring AWS Security Hub

Top comments (0)