Using the AWS Security Stack
As with most cloud platforms, the attack surface is huge. Whilst companies start to adapt to the culture of DevSecOps, and move away from IaSS, threats and misconfiguration only expand in size.
For a human to spot and identify all of this is near impossible, so tools and automation are required in order to keep up. Cloud providers often have their own native stack to offer and, in some cases, it will be the best in the business. In this article, we will be looking at AWS.
It’s important to know that a lot of these have 30 days trails. Even if you aren’t going to use the service, it’s perhaps beneficial to at least enable and see what they offer (Remembering to end it).
With cloud security, additional benefits do come with using cloud native tools. They have all the data, knowledge, and backend resource to make them competitive. They also own the platform so integration and support is at the heart of the design. In certain cases, they can offer lower costs, when bundled into the CapEx or OpEx of the cloud itself (Contracts, agreements).
For those with a small cloud footprint, the free tiers may just get you by. It’s certainly worth reviewing each and see what you can get.
GuardDuty
“Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: AWS CloudTrail management event logs, AWS CloudTrail data events for S3, DNS logs, EKS audit logs, and VPC flow logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.”
GuardDuty is a great feature to help spot malicious or unauthorized access. This being events that need attention of an analyst which can be prioritized based on the severity it issues. This is broken out into, low, medium and high.
These “events” are classed as findings and are stored for 90 days (Retention).
Whilst GuardDuty is great to bring attention to suspicious activity, It does need a proper design. From what I’ve seen the intervention isn’t there without the custom usages of Lambdas acting as automation runbooks (Automated threat remediation).
We can create these runbooks due to GuardDuty allowing us to send notifications to CloudWatch Events. We can then generate triggers based on these events to create runbooks (Series of actions: if, then, else).
The format for GuardDuty events in CloudWatch is:
An initial process could be to seup email notifications based on “findings” that you care about. For the ins and outs of “rules”, see here…. Automating Responses…
The pricing can be calculated using: AWS Pricing Calculator
If tuned correctly, Guardduty can be a vital tool to protecting your AWS instance.
Detective
“Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.”
I like to think of detective as an analyst in a box. It integrates a lot with GuardDuty and SecurityHub to help deep dive into events.
This service should be considered when user resource may be low. Having this will allow not only the security team, but admins to drill down and investigate what has occurred. Having this could compliment the DevSecOps model, as it provides greater insight as to a triggered alert.
There is a good walkthrough here on Detective: https://youtu.be/fmm4PXhg8BY
Like with others, using the pricing calculator should be considered prior to purchasing however, there is a 30 day trail: Amazon Detective pricing — Amazon Web Services
Inspector
“The new Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Inspector automates vulnerability scans and delivers near real-time findings to minimize the time to discover new vulnerabilities.”
If you don’t have a vulnerability management program, or do, but the support isn’t there for AWS, Inspector may work for you. Inspector can help you keep up to date with those libraries, weakness, or critical CVEs that you need to patch. Inspector also helps with prioritisation by using severity scores. On-top of this, it will group those with the most critical, helping you further to prioritise what needs to be fixed.
AWS Config
“AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations”
This is another tool that is automated governance and compliance. This tool allows you to assess, audit and evaluate your configuration to make sure it’s compliant with your standard. It also allows automated remediation to resolve uncompliant issues which is a huge benefit for those not wanted to be burnt by misconfig.
The majority of effort would be done prior to enabling this service as you want to be clear on what your standards actually are. Once you have this, it should be easily matched and enforced using tools such as this.
If using tools such as these, remember that it’s key that all your cloud admins know of it and understand just what the standard is. If they keep coming across errors, they may generate enough noise to weaken the automation and enforcement piece.
Pricing: AWS Config Pricing (amazon.com)
AWS Shield
Shield is your DDoS protection. If you are needing additional protection to ensure high availability, this service can help. Their DDoS protection aims to keep you running without getting in the way.
Unless you run an e-commerce site or are publicly known (more likely to be targeted), it may be a hard sell. Load balancers and restrictions on network traffic could be the answers, but this tool is one that only helps when it’s needed. When it’s not helping, it’s merely a cost.
This would be more of a business decision and risk appetite than a security ops tick box. The weight here is if you did go down, how much would it cost you and how much would you lose?
The pricing is here: Pricing — AWS Shield — Amazon Web Services (AWS)
CloudTrail
CloudTrail is a great solution to support your governance and compliance policies. It provides great audit insight into changes and risks. CloudTrail breaks these out into timelines so you can see who, where and when a change was made.
CloudTrail also allows security automation similar to CloudWatch. This can be used to remediate or respond to certain conditions. Enabling CloudWatch logs, via CloudTrail is recommended as you can certainly tailor your runbooks. Else, if not this, integration within XDRs or SIEMs is highly recommended and often supported. Something you may struggle with CloudWatch.
This is a 30 day trail for this, but be mindful on the log sizes. It’s important to be aware of the boundaries of the free trail.
AWS CloudTrail pricing (amazon.com)
IOT Device Defender
“AWS IoT Device Defender is a fully managed service that helps you secure your fleet of IoT devices.”
This is more specific to your use cases, as if you don’t manage IoT device security this might not be needed. If you do want to secure your IoT devices from a central hub, it certainly is. As with all IoT defenders, there is limitations so it’s worth reviewing the solution as a whole and see how it fits with your model. The pros and cons for the costings may not add up.
What I mean is that you could secure your IoT devices, using other means (Isolation, segmentation, local config reviews). It’s not to say it’s perfect, but it depends on the appetite of the business and governance team.
Pricing: AWS IoT Device Defender Pricing (amazon.com)
Macie
“Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII)”
Macie is more on the governance and compliance side. Macie helps discover and protect sensitive data, such as PII or credentials. It can then provide insight and generates actionable items for your analysts to respond/review.
Macie, works out the box, however it does allow custom data types to support your business needs.
You do have the 30 days and free tier to try out, however for pricing, see the calculator: Pricing | Amazon Macie | Amazon Web Services (AWS)
CloudWatch
Although CloudWatch may not be considered a Security tool, it’s another key component in the Security stack. CloudWatch allows you to monitor your AWS resources and applications in real-time. With this, you can filter and create triggers or rules to complete multiple tasks.
Often confused with CloudTrail, CloudWatch is not the solution for enabling auditing on AWS management logs. Although it can/will generate these events, the solution itself must be first enabled separately (CloudTrail). This would be an additional cost. CloudWatch is more generic, sort of like a complete customisable monitoring system.
Remember that Security covers more than just threat alerts and malicious attacks. CloudWatch enables you to alert on these and bring them to attention. This could be failures of key controls, modification of sensitive data/solutions, or even suspicious activity around modifications. It’s important to remember, that security tools don’t just inherit or know all about your code/applications.
For example, you may have created an app which has a “root” style account and/or service account. This account shouldn’t be used for daily tasks, and your DevOps team may want to be aware on when it is being used. This wouldn’t be an alert by default. No Security stack would know this without you providing some input. This is where CloudWatch and Lambda comes into play, as they allow you to create triggers or rules based on your needs.
There is a free tier to review, however pricing will by dynamic to each use case so would need to be fully understood: Amazon CloudWatch Pricing — Amazon Web Services (AWS)
SecurityHUB
I’ve left Security Hub to the end, as it’s a posture management service. It’s sort of like an overlay of all your services to all central management. It also allows you to review your posture against industry standards. If you are running these standards, these could be an easy tool to report on to show that you are compliant.
It can also show potential policy changes as when looking at the bigger picture, you often get better insight.
The pricing is here. This would be for those who have the extra money. Of course, you could manage your security stack individually with lower costs. This is for those that are wanting central management and don’t mind paying.
Cloud Security Posture Management — AWS Security Hub Pricing — Amazon Web Services
These are just the top services and the branching of Security goes far beyond them. You have the networking side, IAM, data security etc… What you can hopefully see though, is the benefit of picking and choosing. Long are the days being bundled into long-term single contracts waiting for the capabilities to be there as the IT space grows. On the downside though, that granularity can often make it hard to budget and cause more confusions.
When it comes to any tool, regardless if those above. You have to be able to answer the question: “What am I securing and How do I want to do it”. If the tool answers that question and gives you want you need, you can start the progress of consideration.
These cloud services sell the idea of one click Security, but they are far from it. Once you enable them, who, how are you going to respond and who, how are you going to match them to your needs/policies.
If you like my content, please remember to clap and follow! 😁
If you have any requests or content you wish for me to cover, simply drop my an email at contact@xstag0.com! 🦌
Thank you!
amoran.io 
Leave a Reply