100 Days of DevOps — Day 48- Threat detection and mitigation at AWS
Welcome to Day 48 of 100 Days of DevOps, Focus for today is Threat detection and mitigation at AWS
This 27th Wednesday, I got the chance to attend AWS Santa Clara Summit and there I attended two Security Related Session, so just sharing my experience with everyone
* Threat detection and mitigation at AWS
* Find all the threats: AWS threat detection and mitigation(Chalk Talk)
As I am mostly involved in DevOps field but Security is one field which always fascinates me. I got a chance to learn four new AWS resources(I know/heard about these tools but never got a chance to work and implement this but hopefully I will implement that in future)
* Amazon GuardDuty
* Amazon Macie
* AWS Security Hub
* Amazon Inspector
Security Solutions offered by AWS
- This is one of the main highlights, Keep human away from the data
Data Inputs used for Threat Detection Pipelines
- CloudTrail tracks all user activity
NOTE: Please make sure no one has access to turn off cloudtrail and if someone try to do that you should have AWS Lambda running to turn it on back.
100 Days of DevOps -Day 3(Introduction to CloudTrail)
Welcome to Day 3of 100 Days of DevOps, Let extend the journey of DevOps Monitoring and Alerting
- VPC Flow Logs to see all the network activity happening in your account
NOTE: Pay special attention to the second last column and look for REJECT, make sure you have some type of alarm setup to check the frequency in which they are happening.
100 Days of DevOps — Day 28- Introduction to VPC Flow Logs
Welcome to Day 28 of 100 Days of DevOps, Focus for today is VPC Flow logs
- CloudWatch Logs: To send all the different type of logs and monitor it in almost real time
100 Days of DevOps — Day 4(CloudWatch log agent Installation — Centos7)
Welcome to Day 4 of 100 Days of DevOps, On the first day we discussed CloudWatch…
- DNS Logs: All the queries occurred in your DNS resolver inside your VPC
Now we have collected the data, its time to analyze it
What is Amazon GuardDuty?
How GuardDuty Works?
What can Amazon GuardDuty Detect?
AWS Security Hub
AWS Config Rules
Amazon CloudWatch Events
AWS Share this workshop
Scaling threat detection and response in AWS
This hands-on workshop is where you will learn about a number of AWS services involved with threat detection and…
I will highly recommend everyone to go through it as this will give you knowledge about tools like
- Amazon GuardDuty
- Amazon Macie
- Amazon Inspector
- AWS Security Hub
Not only to detect the thread but how to remediate and response to it.
NOTE: Implementing this above lab will cost you money
Use AWS Security Services and learn how to use them to identify and remediate threats in your environment.
Scenario: As a DevOps engineer your task is to securely monitor your AWS infrastructure and respond to any security event in your environment.
End Goal: How to use these services to investigate threats during and after the attack and setup notification and response pipeline and add additional protections to improve the security posture of your environment.
- To set up the environment, AWS provides CloudFormation Template
- CloudFormation is going to set up the following environment
Enable Amazon Macie
Enable AWS Security Hub
Complete Architecture will look like this
To Simulate Attack
- CloudFormation template which will simulate the actual attack you will be investigating
Detect and Respond
After 15–20min, you will see a message like these in your email notification
- If you go back to your AWS Guardduty page, you will see Guardduty has the following findings
Part 1 — Compromised AWS IAM credentials
Part 2 — Determine if ssh password authentication is enabled on the EC2 instance (AWS Security Hub)
Part 3 — Compromised S3 bucket
A hands-on workshop to learn how to do threat detection and response in AWS. …
Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.
- Twitter: @100daysofdevops OR @lakhera2015
- Facebook: https://www.facebook.com/groups/795382630808645/
- Medium: https://medium.com/@devopslearning
- Slack: https://devops-myworld.slack.com/messages/CF41EFG49/
- GitHub Link:https://github.com/100daysofdevops