Runbook for Cloud Security Teams

It might be news for security folks but AWS security services cover much if not all of the needs of cloud security.

AWS security services :

  • CloudTrail (covers infrastructure calls, user and API call activity into your system)
  • Guard Duty (covers host communications and threat intelligence, covers network communications through monitoring VPC Flow logs )
  • AWS inspector (covers host vulnerabilities, host CIS benchmarks)
  • AWS Security Hub (covers third party services)
  • AWS Config (asset inventory, asset configuration compliance)

Therefore, there are essentially two tasks for the security team, a) ensuring all the security monitoring and AWS security services are setup right and b) monitor and review the findings from the AWS security services

Our automated runbooks (open sourced here) focus on ensuring AWS security services are rightly setup, collects and organizes findings from those services for easy review.

Sample of the daily run of the runbook in our test environment is here. The article below goes through the nuts and bolts of the runbook.

AWS Security Services Best Practice Enablement Checks

Our runbook goes through each of the security services and ensures they are setup right. Checks for whether Cloudtrail is set up for multi regional, GuardDuty is enabled in all regions, Security Hub is enabled in all regions etc.

Code snippet that checks for the enablement :

Review Findings from AWS Security Services

The runbook then checks for findings from various AWS security services to exhaustively cover all aspects of cloud — infrastructure calls, user console logins, root activity, GuardDuty findings on API calls (which will give you API calls that indicate threats), GuardDuty network findings (which will give you host communications involving malicious hosts) and Inspector (host vulnerabilities). Lets go through them.

Review Infrastructure Call Data

For infrastructure calls, we aggregate CloudTrail into easy to consumable format aggregating user agent information and IP address for each of the event names(actions), so you can easily determine any abnormal activity in the account.

  • Goal 1 : Review all changes hand made by users logging into console
  • Goal 2 : Review all user agents for the roles you normally observe in your environment. If you see changes from non programmatic user agents (such as Boto3, Terraform), then you need to take a closer look.

Code snippet that consolidates infrastructure calls :

Review Console Logins

Code snippet that collects and organizes console logins :

Review Root Activity

Code snippet that collects all API calls from Root user

Review Guard Duty API Call Activity

Our run books brings in the title, region and severity so the security team can easily review the high severity activity.

Review Guard Duty MaliciousCommunications Call Activity

GuardDuty malicious communications can be very noisy, particularly port probes , so we drop that activity from the review. We bring in the AMI ID to the focus so security teams can quickly determine which AMI ID is responsible for most GuardDuty activity.

Review Findings from AWS Inspector

AWS Inspector covers host vulnerabilities, host CIS benchmarks and determines network reachability of hosts.

We organize the findings from AWS Inspector pivoting on AMI ID (aggregating the number of findings from each AMI ID) so the security teams can determine which AMI ID is responsible for most findings.

We also correlate findings from GuardDuty and Inspector so security teams can concentrate on AMIs which have host vulnerabilities and are involved in malicious communications.

The runbooks themselves are open sourced, if you want the runbooks to be installed, managed, updated and exported (as PDF, html) into your buckets or Slack, feel free to look at VirClop.

( With Love from Team VirClop )




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What’s Coming up for Bluetooth?

Fake Netflix App Hijacked Whatsapp Messages

CISA updates the Single-Factor Authentication method to list of Bad-Practices

TRADE Staking Audit Update —

A Summary Of Fancy Attack Injection Methods — Part 2

Cybersecurity Is Not A Four-Letter Word

Password Penetration testing

Beyond the noise — 7 reasons it’s safe to run Zoom

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Promote Business Success With Managed Disaster Recovery Solutions

What Is Cloud Services Automation?

The Power of Terraform

Introduction to Cloud Computing