AWS Certified Serucity Spacaility - SCS-C02 Study notes - Part 4

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

AWS Security Hub

Link to security hub

Security hub helps to track multiple accounts.

Managing AWS can be problematic with a single account due to new features and services.

Multiple accounts are a nightmare.

This is done inside a Security OU if launched in a control tower setup.

It can also work with one account.


Consolidates data from:

  • Guard Duty
  • Inspector
  • Macie
  • AWS IAM
  • Firewall Manager
  • Third-party solutions


Security hub gives a single point of view.


It is a presentation tool that allows one to categorize and prioritize of data from multiple sources.

Brings data together - Think HUB - Joins things - Old school networking


Security hub complements the guard duty service.


Security hub is a regional service.


Out of the box performs 43 automated checks.

  • Checks are nearly continuously running
  • Based on the CIS frameworks benchmark[1]


Findings are displayed in the main dashboard of the security hub.


The security hub can audit the security team's response times.


Hub mostly looks for security changes and usage patterns at the account level.

(AWS config looks at things from a resource level)


Configuring AWS is a prerequisite for compliance standards on the AWS security hub.


AWS Security hub can be enabled from the AWS Management console.

    • However, it needs to have AWS Config Enabled
    • Hub prefers to have Config fully enabled, watching all resources.
    • Therefore, it is best to enable from the cloudformation page.


Security Hub uses AWS Config to run checks.

    • Security checks can be run on a schedule - least secure
    • Checks can be run when a change is detected - most secure


Security hub can provide insights into the root cause of an issue.

Out of the box, it has:

    • Built-in insights (You cannot modify or delete).
    • Custom insights.


Managed insights require an enabled product integration to work.


Examples of managed insights:

    • AWS resources with the most findings
    • S3 buckets with public read or write
    • AMI's with the most findings


Custom insite can we written with:

    • Security Hub API
    • AWS CLI
    • Powershell


A grouping attribute must be selected.

Additional filters can then be used to display the insight.

Amazon Guard Duty

This is a fully managed intelligent threat detection service.

    • Uses machine learning.
    • Looks for unexpected or malicious activity.


Guard duty is a Regional Service:

  • You must first select a region before using it.
  • Guard duty will then only work in that region.
  • In the case of multiple regions:
    • Set up one for each region.
    • Use the security hub to combine data feeds.


Data is obtained from:

    • Cloud Trail logs
    • DNS logs
    • VPC Flow logs


It can be used on a single or multiple accounts.


It uses numerous threat-detection feeds.


Guard duty learns activity on the account.

    • Tries to determine what is normal and abnormal.


Guard duty provides an effective way to remediate security issues without having any performance impact.

🐕Think of Guard Duty as a guard dog. It has to be lean some activity, but is already trained.


    • Guard duty installs in a "one-click manner" to the account.
    • Constant monitoring.
    • Global coverage, regions categorized locally.
    • Detection of behavior-based unknown threats using machine learning.
    • Can manage security across accounts.


      • This is done through account linking.


Findings:

    • Are on a numerical scale.
      • High: 7.0 to 8.9
      • Medium: 4.0 to 6.9
      • Low: 1.0 to 3.9


Easy way to memorize this scale:

  • Endings are alwats .9
  • Jump in levels of 2 from 1.0
  • The top jump in level is only 1


Guard duty can aggregate multiple smaller events into one notification.

  • This helps prevent noise / alert fatigue.



VPC Flow logs

Captures:

    • IP Addresses
    • Amount of data
    • Direction of flow


Guard duty uses this to determine if an instance is communicating with a bad actor.

This is done using a threat intelligence list.


Can detect unknown threat behavior:

    • Example: an EC2 instance starts transferring a large amount of data.
    • 😳This could be a sign of a data breach.


There is no need to turn on VPC flow logs manually.

    • Guard duty uses an independent VPC System.
    • Turning on or off your flow logs has no impact on guard duty.

Cloud Trail Events

Cloud trail logs help guard duty build a profile for the account.

It helps the software understand what normal activity is.

As the model evolves (learns), it can pick up unusual usage activity on the account.


DNS Logs

Guard duty can analyze the DNS queries from instances.

This data can be compared against the threat intelligence lists that Amazon has built.


This does not depend on Route 53

    • It looks at the DNS queries.
    • Does not require a hosted zone or DNS log.


How Guard Duty works

Data is collected and analyzed from the three sources above.

The service can examine 10's billions of events - it's a SAS, nothing you install.


Anomolous or Malicious activity:

    • Ranked - High, Medium, or Low.
    • The findings are delivered to the security hub, S3 Bucket or CloudWatch events.


Hub - View all events from multiple services in one place.

Eventbridge - Near realtime notifications using the SNS service.


Multiple intelligence services are used:

  • AWS security intelligence.
  • Partner intelligence such as CrowdStrike and Proofpoint.
  • Customer-provided intelligence reports.


What can guard duty detect

Can identify the following threats:

  • Known malware-infected hosts.
  • Anonomyzing proxies and Tor gateways.
  • Cypto mining and wallets.
  • Sites hosting malware or hacking tools.


Amazon Macie

Macie uses machine learning to find sensitive data stored in S3.

Macie can integrate with CloudTrail

It has customizable policies and reporting integrations.


Maice makes security proactive.


Macie's main task is to find PII in your environment.

Hepts to protect against PII being left on an unprotected S3 share.

Also, if data is moved to an unprotected S3 share through malicious or accidental activity, Macie will find it.


Macie is different from Guard Duty

  • Macie looks at data at rest in an S3 bucket
  • Guard duty takes looks at data in transit.

Cloudwatch events for Guard Duty

Using SNS topics:

  • Allows automated notifications.
  • Automated remediation.

Standards, Controls, and Checks

When starting the security hub you are presented with standards.

    • Your environment is checked against these standards.


Some of these standards are:

    • AWS Foundational security best practices.
    • CIS AWS Foundations 1.2 and 1.4 [2]
    • Nist 800-53 rev 5
    • PCI DSS v.3.2.1


Remember: AWS, CIS, NIST, PCI - (Aws Creates New Problems)

Retrieved from "https://cramsession.net/index.php?title=AWS_Certified_Serucity_Spacaility_-_SCS-C02_Study_notes_-_Part_4&oldid=470"