Amazon GuardDuty is a threat detection service that collects and analyzes events from various sources like IP traffic, DNS requests and responses and CloudTrail logs containing user and API activity.
Supported by machine learning Amazon GuardDuty uses several detection algorithms to identify anomalous and malicious patterns in your infrastructure. The algorithms are classified in several categories and findings are sorted in threat severity levels. Findings are shown in detailed reports and can be made actionable. Automated threat responses can be set up, e.g. a Lambda function could adjust security group rules based on findings.
If you’re not yet actively using AWS security services but want to start finding the right services for your infrastructure, Amazon GuardDuty is a good starting point. The service can be enabled fast and easy in the management console and then immediately starts working.
There is a 30-day free trial period which should give you enough time to evaluate it.
With the security assessment service Amazon Inspector you get a detailed overview of the state of security and compliance in your infrastructure. You deploy an agent to your EC2 instances monitoring network, file system, processes and telemetric data. As an assessment output you receive a list of findings with detailed information and recommended actions.
AWS provides ready-to-use rule packages for network and host assessments including CVEs and CIS benchmarks.
We recommend using the Amazon Inspector for your EC2 instances as it gives you important security information about your environments. For using the service you should install the Inspector Agent on your instances and create an assessment.
A 90-day trial period with free assessments is available.
Amazon Macie is a higly automated machine learning based security service for classification of sensitive data. Up to now it is only supported in two US regions but should be rolled out in more regions in the nearer future.
Amazon Macie uses ML power to detect sensitive data stored in Amazon S3 and visualizes where data is stored and how it is being used. Based on its analysis Amazon Macie can alert on suspicious user activity like large unexpected downloads of sensitive data or when publically sharing classified data.
If you store sensitive data like personally identifiable data, health information or credentials in S3 and want to install a data loss prevention tool with low effort Amazon Macie definitely is an interesting option. There is no free trial period, so if you need assistance or have further questions, please ask us for implementation guidance.
AWS Security Hub
When you use several AWS security services and receive many security alerts, AWS Security Hub is the right tool for you.
AWS Security Hub summarizes alerts or findings from services like Amazon GuardDuty, Amazon Inspector, Amazon Macie and others on dashboards and provides them according to your requirements. It automates compliance checks like the CIS benchmarks and provides findings and remediation steps.
AWS Security Hub comes up with a comprehensive dashboard so you don’t have to jump from service to service to get an overview of your infrastructures states and hunt down findings. It significantly saves time and improves compliance through automated checks.
There is a 30-day trial period for evaluation.
AWS CloudTrail is an important tool when it comes to compliance and governance of your AWS account. AWS CloudTrail records all actions taken by users, roles or API and is enabled per default, as you can see in your CloudTrail console.
As soon as you create a trail configuration, CloudTrail events are being delivered to an S3 bucket and could automatically monitor and alarm via Amazon CloudWatch Logs. This information supports you tracking changes of your AWS resources and hunting down operational issues. Trails can be configured to log data plane and control plane operations. By default only control plane operations are being logged as data events often are of high volume.
If you need to track changes and user activity or want to get an overview of your compliance state you should take a deeper look into AWS CloudTrail. The last 90 days of activity are being provided free of charge. Getting familiar by setting up a trail the delivers management events is an excellent starting point and also free of charge (apart from the S3 usage).
Hopefully this rough overview of five AWS security services had some interesting information for you and motivates you to try out some of the services. I would be glad to receive your feedback or answer your questions – so don’t hesitate to leave a comment.