100 Days of DevOps — Day 48- Threat detection and mitigation at AWS

Prashant Lakhera
Mar 31 · 6 min read

Welcome to Day 48 of 100 Days of DevOps, Focus for today is Threat detection and mitigation at AWS

This 27th Wednesday, I got the chance to attend AWS Santa Clara Summit and there I attended two Security Related Session, so just sharing my experience with everyone

As I am mostly involved in DevOps field but Security is one field which always fascinates me. I got a chance to learn four new AWS resources(I know/heard about these tools but never got a chance to work and implement this but hopefully I will implement that in future)

Security Solutions offered by AWS

  • This is one of the main highlights, Keep human away from the data

Data Inputs used for Threat Detection Pipelines

  • CloudTrail tracks all user activity

NOTE: Please make sure no one has access to turn off cloudtrail and if someone try to do that you should have AWS Lambda running to turn it on back.

  • VPC Flow Logs to see all the network activity happening in your account

NOTE: Pay special attention to the second last column and look for REJECT, make sure you have some type of alarm setup to check the frequency in which they are happening.

  • CloudWatch Logs: To send all the different type of logs and monitor it in almost real time
  • DNS Logs: All the queries occurred in your DNS resolver inside your VPC

Now we have collected the data, its time to analyze it

OR

What is Amazon GuardDuty?

How GuardDuty Works?

What can Amazon GuardDuty Detect?

Amazon Macie

AWS Security Hub

Amazon Inspector

Threat Detection

AWS Config Rules

Amazon CloudWatch Events

Threat Remediation

AWS Share this workshop

I will highly recommend everyone to go through it as this will give you knowledge about tools like

  • Amazon GuardDuty
  • Amazon Macie
  • Amazon Inspector
  • AWS Security Hub

Not only to detect the thread but how to remediate and response to it.

NOTE: Implementing this above lab will cost you money

Use AWS Security Services and learn how to use them to identify and remediate threats in your environment.

Scenario: As a DevOps engineer your task is to securely monitor your AWS infrastructure and respond to any security event in your environment.

End Goal: How to use these services to investigate threats during and after the attack and setup notification and response pipeline and add additional protections to improve the security posture of your environment.

Architecture

  • To set up the environment, AWS provides CloudFormation Template

https://s3-us-west-2.amazonaws.com/sa-security-specialist-workshops-us-west-2/threat-detect-workshop/staging/01-environment-setup.yml

  • CloudFormation is going to set up the following environment

Enable GuardDuty

Enable Amazon Macie

Enable AWS Security Hub

Complete Architecture will look like this

To Simulate Attack

  • CloudFormation template which will simulate the actual attack you will be investigating

S3 URL

https://s3-us-west-2.amazonaws.com/sa-security-specialist-workshops-us-west-2/threat-detect-workshop/staging/02-attack-simulation.yml

Detect and Respond

After 15–20min, you will see a message like these in your email notification

  • If you go back to your AWS Guardduty page, you will see Guardduty has the following findings

Part 1 — Compromised AWS IAM credentials

Part 2 — Determine if ssh password authentication is enabled on the EC2 instance (AWS Security Hub)

Part 3 — Compromised S3 bucket

Reference

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.

Reference

The Crossover Blog

Welcome to the future of work. The Crossover blog is your resource for staying up to date on topics that matter in the modern workplace-like tech skills, remote work, recruiting insights, and more. Learn more about Crossover and browse remote tech jobs at www.crossover.com.

Prashant Lakhera

Written by

The Crossover Blog

Welcome to the future of work. The Crossover blog is your resource for staying up to date on topics that matter in the modern workplace-like tech skills, remote work, recruiting insights, and more. Learn more about Crossover and browse remote tech jobs at www.crossover.com.