To me, security is a matter of culture in what we do. It is not an optional detail - it is a must have knowledge. You can love it so much and specialize yourself (then make big money, maybe?) or you can add more to it from time to time. But the moment you take the extra steps to build something in production, you cannot take the risk of ignoring the security need of your infrastructure. Therefore, we all have to know bits and pieces of security, and probably more.
And of course AWS is not an exception when it comes to this. There are multiple tools, dedicated workshops, whitepapers, videos etc. to introduce security best practices on AWS - but still it's a bit daunting to figure out what you need and whatnot, then where to begin.
So today I will try my best to challenge this, and offer you a guide to begin:
Activate these three security tools first:
- Amazon GuardDuty
- Amazon Inspector
- AWS Security Hub
Let's go ahead and check each of these tools a little more in depth.
GuardDuty - Your Attacks Categorized at its Best
This is an automatic scanning tool that continuously monitors your main AWS resources for common threats and vulnerabilities. The scope is EC2, RDS, S3, Lambda, EKS and IAM. Indirectly you can expect receiving instant updates on any type of attack scenarios. Imagine a hacker compromised one of your servers. Or a tool you use led your instance to have a bitcoin miner without you notice. GuardDuty comes into play in these cases, notifies you immediately and recommend some actions.
To understand where GuardDuty helps, it's helpful to discover GuardDuty finding types. I think the list of finding types give a great hint about the focus of GuardDuty and it's much easier to figure where it helps, than fancy marketing introductions of the tool.
- Security Hub automatically receives GuardDuty's detections within 5 minutes - can be also notified via e-mail / slack or console.
- It's also possible to view GuardDuty's findings at Security Hub dashboard.
- GuardDuty specifies resource ID and threat finding details for each remark. With this, it's possible to go through each threat.
- GuardDuty is powerful especially against authentication misuse (via IAM / IAM SSO) as well as EKS/EC2 security. It's also handy that there is a central overview for GuardDuty findings.
- GuardDuty is AWS-centric, so it's not very useful if the attack is at the container level or via internal processes. Furthermore, it's reactive but not preventive - so it doesn't block any attacks although detects them.
How to activate GuardDuty in your account?
All you have to do, is to navigate to GuardDuty page in your account and click activate. But this is just the beginning. Next step is to decide, which protection plans to include in your GuardDuty. S3 Protection takes S3 buckets and relevant resources into focus. Make sure it is enabled if you are actively using buckets in your workloads. EKS Protection focuses on Kubernetes related workloads. You should clearly activate it when you use ECS/EKS, however your protection relies on CloudTrail, VPC Flow Logs and EKS Audit Logs in your clusters. So, you still have some work to do! EC2 Malware Protection and Agent Management for EC2 has the focus on EC2 instances. They rely on running SSM agents in your instances. Automated management relies on Runtime Monitoring to take actions. However it is optional and I prefer to not use it at this level. Runtime Monitoring is an AI supported general scanning feature. The solution follows latest defensive trends in security and improves itself. An agent continuously checks your resources, takes actions and informs you whenever there is a security risk noticed. Although sounds very promising, I decided to not activate runtime monitoring because its very high cost. RDS Protection and Lambda Protection focuses on each resource type, respectively. If you have these resources, make sure to activate these options as well.
What's in it for me?
Once you activate GuardDuty, your findings will be categorized, defined and listed. Furthermore, you will be guided how to eliminate these attack sequences for each incident that happened.
Want to suggest me a topic to post about? Let me know.