AWS Security- Threat Detection and Monitoring Tools | CyberNcrypt
When migrating to the cloud, you should review your security posture and determine what changes and controls are required to operate securely. AWS provides security tools and features that allow you to monitor what’s going on in your AWS environment. These tools and features provide you with the visibility you need to identify issues before they impact the business and allow you to improve your environment’s security posture and risk profile.
Some AWS – Threat Detection and Monitoring Tools are listed below.
Services | Description |
Amazon GuardDuty | AWS CloudTrail data events for Amazon S3 logs, CloudTrail management event logs, DNS logs, Amazon EBS volume data, Amazon EKS audit logs, and Amazon VPC flow logs are among the data sources analyzed and processed by Amazon GuardDuty. It employs machine learning and threat intelligence feeds, such as lists of malicious IP addresses and domains, to detect unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues such as privilege escalation, the use of exposed credentials, communication with malicious IP addresses, domains, or the presence of malware on your Amazon EC2 instances and container workloads. |
Amazon Inspector | Amazon Inspector Classic examines the network connectivity of your Amazon EC2 instances as well as the security of the applications that run on those instances. Amazon Inspector Classic examines applications for vulnerabilities, exposure, and deviations from best practices. Following an assessment, Amazon Inspector Classic generates a detailed list of security findings organized by severity level. You can use Amazon Inspector Classic to automate security vulnerability assessments across your development and deployment pipelines, as well as for static production systems. This enables you to incorporate security testing into your development and IT operations on a regular basis. Amazon Inspector Classic also includes predefined software known as an agent, which you can install in the operating system of the EC2 instances you want to evaluate. The agent monitors the EC2 instances’ behavior, including network, file system, and process activity. It also gathers a large amount of behavior and configuration data (telemetry). |
AWS Config | AWS Config displays a detailed view of the AWS resource configuration in your AWS account. This includes how the resources are related to one another as well as how they were previously configured, allowing you to see how the configurations and relationships change over time. An Amazon Elastic Compute Cloud (EC2) instance, an Amazon Elastic Block Store (EBS) volume, a security group, or an Amazon Virtual Private Cloud are all examples of AWS resources (VPC). You can use AWS Config to do the following: – Examine your Amazon Web Services resource configurations for desired settings. – Get a snapshot of the current configurations of the supported resources in your AWS account. – Get the configurations of one or more resources in your account. – Get the previous configurations of one or more resources. When a resource is created, modified, or deleted, you will be notified. – Examine resource relationships. You might want to find all resources that use a specific security group, for example. |
AWS CloudTrail | AWS CloudTrail is a service provided by Amazon Web Services that enable operational and risk auditing, governance, and compliance for your AWS account. Events in CloudTrail are actions taken by a user, role, or AWS service. Events include AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs actions. When you create an AWS account, CloudTrail is enabled. When something happens in your AWS account, it’s recorded in a CloudTrail event. Go to Event history in the CloudTrail console to easily view recent events. Visibility into your Amazon Web Services accounts activity is an important aspect of security and operational best practices. CloudTrail allows you to monitor, search for, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can determine who or what performed which action, what resources were used when the event occurred, and other details to assist you in analyzing and responding to activity in your AWS account. You can enable AWS CloudTrail Insights on a trail to assist you in detecting and responding to unusual activity. |
AWS Network Firewall | AWS Network Firewall is a managed network firewall and intrusion detection and prevention service for your Amazon Virtual Private Cloud virtual private cloud (VPC) (Amazon VPC). You can use Network Firewall to filter traffic at the VPC’s perimeter. This includes traffic filtering to and from an internet gateway, NAT gateway, VPN, or AWS Direct Connect. Suricata, an open source intrusion prevention system (IPS), is used by Network Firewall for stateful inspection. Suricata compatible rules are supported by Network Firewall. |
AWS Shield | Protecting your internet-facing applications from Distributed Denial of Service (DDoS) attacks is critical. When you build your application on AWS, you can take advantage of free AWS security features. You can also use the AWS Shield Advanced managed threat protection service to strengthen your security posture by providing additional DDoS detection, mitigation, and response capabilities. When you build your application on AWS, AWS protects you automatically against common volumetric DDoS attack vectors such as UDP reflection attacks and TCP SYN floods. You can use these safeguards to ensure the availability of your AWS-hosted applications by designing and configuring your architecture for DDoS resilience. |
AWS WAF | The Amazon Web Application Firewall (AWS WAF) is a web application firewall that allows you to monitor HTTP(S) requests forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, and an Application Load Balancer, or an AWS AppSync GraphQL API. AWS WAF also allows you to control who has access to your content. The service associated with your protected resource responds to requests with the requested content or with an HTTP 403 status code based on criteria you specify, such as the IP addresses from which requests originate or the values of query strings (Forbidden). When a request is blocked, you can also configure CloudFront to return a custom error page. |
AWS Firewall Manager | AWS Firewall Manager streamlines administration and maintenance tasks for AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall across multiple accounts and resources. With Firewall Manager, you configure your protections once and the service applies them to all of your accounts and resources, even as you add new ones. |
Amazon CloudWatch | Amazon CloudWatch continuously monitors your Amazon Web Services (AWS) resources and the applications you run on AWS. CloudWatch can be used to collect and track metrics, which are variables that can be measured for your resources and applications. The CloudWatch home page displays metrics for every AWS service you use. You can also create custom dashboards to display metrics about your custom applications as well as custom collections of metrics. When a threshold is exceeded, you can create alarms that watch metrics and send notifications or automatically make changes to the resources you’re monitoring. For example, you can monitor your Amazon EC2 instances’ CPU usage and disc reads and writes and then use that data to determine whether you should launch additional instances to handle the increased load. You can also use this information to stop underutilized instances and save money. You gain system-wide visibility into resource utilization, application performance, and operational health with CloudWatch. |
Amazon Macie | Amazon Macie is a fully managed data security and privacy service that employs machine learning and pattern matching to assist you in discovering, monitoring and protecting sensitive data in your AWS environment. Macie automates the discovery of sensitive data, such as personally identifiable information (PII) and financial data, to give you a better understanding of the data stored in Amazon Simple Storage Service by your organization (Amazon S3). Macie also keeps an inventory of your S3 buckets and automatically evaluates and monitors them for security and access control. Macie can identify and report overly permissive or unencrypted buckets for your organization in minutes. If Macie detects sensitive data or potential issues with your data’s security or privacy, it generates detailed findings for you to review and correct as needed. These findings can be reviewed and analyzed directly in Macie, or they can be monitored and processed using other services, applications, and systems. |
AWS Security Hub | AWS Security Hub provides a comprehensive view of your AWS security state and assists you in comparing your environment to security industry standards and best practices. Security Hub collects security data from AWS accounts, services, and supported third-party partner products and assists you in analyzing security trends and identifying the most critical security issues. |