Cheatsheet: AWS Security Services

GuardDuty, Macie, Inspector, oh my!

A table is worth a thousand words

AWS has many services for securing AWS resources and for making other security services easier to use. I got a little confused while reading about them so I put them into a table, as one does. Below are other interesting things about each service that did not fit into the table.

AWS Config

• Here’s a list of all AWS resources supported by AWS Config
• A Conformance Pack is a collection of Rules and Remediation Actions
• Setup is region specific, but aggregator allows multi-region
• Multi-account is supported via aggregator and AWS Organizations

Amazon GuardDuty

• VPC flow logs contain network traffic logs into and out of VPC
• CloudTrail event logs contain API calls made from the account
• DNS query logs contain queries from EC2
• Custom trusted IP lists and threat IP lists can be configured
• Findings are kept for 90d by default
• Multi-account is supported via adminstrator/member accounts and AWS Organizations

Amazon Macie

• Monitored buckets must have SSE enabled, but cannot have application-level encryption
• Custom regex or keywords can be defined for finding sensitive data
• Findings are generated only when Macie jobs are run
• Findings are kept for 90d by default
• Macie Classic is a deprecated version of Macie
• Multi-account is supported via adminstrator/member accounts and AWS Organizations

AWS Security Hub

• Certified SOC, ISO, PCI, HIPPA
• For security standards to work, AWS Config must be enabled
• Multi-account is supported via adminstrator/member accounts and AWS Organizations

AWS Trusted Advisor

• Multi-account is supported via AWS Organizations

Amazon Inspector

• Uses latest CVEs to find vulnerabilities
• Multi-account is supported via AWS Organizations

Stray thoughts and observations

• Most of these services integrate with Amazon Cloudwatch Events, Amazon EventBridge or AWS Lambda to allow further automation to happen based on the findings
• I’ve left out AWS IAM Access Analyzer from the table as it’s not a standalone service but part of AWS IAM. Security-wise, this service finds resources shared externally, and validates IAM policies against best practices
• I wonder why are some services prefixed with “AWS” and some with “Amazon”? Does the prefix actually matter?

References

• AWS Certified Security Specialty All-in-One Exam Guide
• AWS docs

I usually write about Software Engineering and Cybersecurity topics, if you’re into that, here’re some articles you might like:

• Postgres SQL Injection to RCE with archive_command
• Room Writeup: Network Services
• Recap: JWT and Cookies for Web Authentication