Ephemeral AWS Accounts;

Ephemeral AWS Accounts;

  • The root user’s email address can’t be reused if you close an account.
    • Use Plus email addressing [email protected]  Plus addressing means any email sent to [email protected] is still sent to your account. This means you can have a lot of variations on your email address to give out to different people, sites, or mailing lists. https://www.fastmail.help/hc/en-us/articles/360060591053-Plus-addressing-and-subdomain-addressing#:~:text=Plus%20addressing%20means%20any%20email,%2C%20sites%2C%20or%20mailing%20lists.
  • Maintained the list of addresses in an excel spreadsheet, never even bothered doing the PW recovery, as when you generate an account via org, it only asks for the email address, in order to retrieve the pw you have to do forgot your pw process.
  • AWS Organisations can only have 3 accounts under it, have to raise a service limits request in order to create more. (Free accounts are very slow for this request.) https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html
  • Create and Remove accounts via scripts
  • Set Service limits
  • sandboxed accounts  https://aws.amazon.com/blogs/mt/best-practices-creating-managing-sandbox-accounts-aws/
  • Azure Labs – https://labs.azure.com/

Infrastructure as Code Cloud Automation Scripts (Teraform, CloudFormation)

Infrastructure as Code, Cloud Automation Scripts (Teraform, Ansible, CloudFormation)

Terraform, CloudFormation is for service provision

Ansible is for DevOps automation and configuration management.

Identifying entry points on O365, AWS, Azure and GCP

Identifying entry points on 0365, AWS, Azure and GCP

This blog is mainly a list of Tools to expose and test entry points into AWS, Azure and GCP. My next goal is to implement these tools and develop some youtube videos. Then after that develop actual detection and mitigation strategies.

Hacking the Cloud – Cloud Security – Attacks

👉 Get familiar with Cloud Security fundamentals with Learn to cloud by Gwyneth Peña-Siguenza and Day Johnson

👉 Hacking the cloud by Nick Frichette an encyclopedia of the techniques that offensive security professionals can use against cloud environments.

👉 Cloud Security – Attacks by Joas A Santos

👉 Practice with this free lab from Pentester Academy

👉 Practice with Flaws by Scott Piper

👉 https://github.com/CyberSecurityUP/Cloud-Security-Attacks?utm_content=buffer3c7f2&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer

👉 Public Cloud Breaches – https://www.breaches.cloud/

👉 Learn AWS Pentesting – https://www.youtube.com/playlist?list=PLMoaZm9nyKaNRN0SoR_PBVYc_RAhbZdG4

Microsoft Azure Security Checklist / Audit

💡 Run regular OSINT (Open-Source Intelligence) scans to identify compromised accounts & cycle all credentials based on the accounts found in the OSINT hunt.
💡 Ensuring all accounts have MFA enforced. Accounts without MFA are simply a business risk in today’s era of identity-centric applications & services.
💡 Create conditional access policies to limit access to HVT (High-Value Targets) & HVS (High-Value Services) based on Geo-location, Device/Identity risk, etc.
💡 Create a conditional access policy to limit access to the Azure Portal (Only allow specific group access, enforce MFA, and only allow logins from certain locations) (This not only reduces the Azure Portal attack surface but also enforces the reduced attack surface)
💡 Restrict the Azure AD administration portal.
💡 Enforce strict privilege access on inter-cloud resources such as Subscriptions, Resource Groups & any other Azure workloads.
💡 Enforce strict guest user privileges (ACL) & access (MFA)
💡 Create Sentinel queries & alerts to flag any suspicious activity related to Tenant takeover tactics (Just because the Threat Actor managed to log into the environment (Red Team), does not mean the activity went unnoticed (Blue Team)

AWS Security Tools

AWS – Easy to get started, changes daily, difficult to secure and harder to know if you are “doing it right’. AWS has 1000s of APIs, are you confident there are all secure? Have a good nights sleep.

AWS innovates really quickly. AWS send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog; https://twitter.com/awssecurityinfo?lang=en

Research Articles

Security Terraform scripts;

Known AWS breaches


AWS Digital Forensic Analysis

SCS-C01 – AWS Certified Security Specialty

SCS-C01 – AWS Certified Security Specialty

Exam Questions

  1. Conflicts between AWS S3 bucket polices and IAM Polices
    1. https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
  2. How do you restrict access to S3 Buckets;
    • Restrict access to S3 Buckets using Polices and Pre-Signed URLs
    • IAM polices, S3 bucket polices, and S3 ACLs
    • AWS follows the least-privilege principle, so by default everything is denied.
    • If you allow something, it only takes on of the explicit deny for the result to be denied.
    • An explicit deny will always override an allow.
    • $aws s3 presign s3://<mybucket>/<myobject> –expres-in 120
  3. What is required trust relationship for Active Directory and AWS SSO?
    • ADFS is trusted ID provider in AWS
    • AWS is a trusted replying party in ADFS
  4. In a VPC, all subnets are routed by default, But, how can you prevent network traffic between them?
    • ACLs and Security Groups.
    • Remove the default routes.
    • ACLS and IAM Polices.
    • Answer: ACLs and Security Groups.
  5. Your company is serving content through a CloudFront distribution. Your IR team wishes to review data to identify possible indicators of compromise or anomalous events. In particular they are looking for source IP address, the original request, the referrer and protocol information. Where should they look for this data?
    • CloudFront access logs for the distribution.
  6. You need to create a logging strategy for your company’s accounts. The logging data must be kept securely and be readily usable for 90 days. After 90 days, the logs probably will not be required, but must still be retained for compliance for 10 years. What solutions ensures that your logs are securely retained for the entirety of the required duration in the most cost-effective manner?
    • Send all logs to central logging account S3 bucket. Ensure that the bucket is protected with a bucket policy that only allows read access to security admins, denying all other access. Create a lifecycle policy that automatically moves the data to Amazon S3 Glacier after 90 days, and then automatically deletes the logs after 10 years.
  7. Your company has created a centralised logging account where all AWS CloudWatch and AWS CloudTrail logs are delivered. You’ve created a new account using AWS CloudFormation. In this account, you’ve built a Lambda function to stream the generated logs and send them to your logging account’s S3 bucket. When completing a test run of your Lambda function, a 403 error is returned. What change will quickly resolve this issues without sacrificing security best practices?
    • Change you permissions statement on the Lambda function to allow access to the logging account S3 Bucket.
  8. A recent security review discovered that your company’s ecommerce site accepts an SSL session with a non-compliant cipher. You must prevent this specific cipher from being used to secure a client’s session when communicating to and from the elastic load balancer. What steps should you take?
  9. You are responding to a DDoS attack on your company’s application. The application is composed of a dynamic website running on EC2 instances behind a CloudFormation distribution. The attack is being launched from a large number of IP address across many different countries. The attack is targeting valid URI, but seems to have a common misspelling in the query string that were passed. What quick solution could you implement to block this attack?
  10. Your company has public-facing three-tiered application that uses an ALB in the front of the presentation layer and a second ALB connecting the presentation layer to the application layer. The application is being targeted by a variant of a sophisticated SQL injection attack. The attacks are coming from blocks of IP addresses that are in use by existing legitimate customers. What is the easiest way to protect your applications?
    1. Block the attack by implementing AWS WAF and use rules that look for SQL injection.
  11. Your company, BigBank, has set up automated penetrating testing and vulnerability analysis from servers under their control (on EC2 instances). This is working well, buy you notice that it is causing excessive numbers of alarms in Amazon GuardDuty. What is the simplest way to hide these false positives?
    1. Allocate an elastic IP address for the EC2 instances and then update the trusted IP address list in GuardDuty.
  12. You are building a mobile app for consumers to post images online. You will be storing the images in Amazon S3. You want to implement user authentication cheaply and simply. Which one if these options allows you to build a photo-sharing application that meets costs and effort requirements?
    1. Build the application using AWS Cognito and web identity federation to allow users to login using Facebook or Google accounts. Once they are logged, the the secret token paused to that user is used to directly access resources on AWS like Amazon S3.
  13. You are the security architect at BigPharma and you are concerned about infrastructure security for EC2 instances. In particular, you known that your company developers will want to make API requests from those instances. What should you recommend as a best practice?
    1. Developers should use IAM roles to grant permissions to EC2 instances. Thy should create multiple re-usable roles and assign the one that matches the least privileges required.
  14. You are the security administrator at BigPhoneCompany, the national telecommunication carrier. You want to be able to automate isolation of specific instances in several public subnets that contain EC2 instances. What is the simplest way to do this?
    1. Create a Lambda function that modifies the security group to block inbound traffic.
  15. A corporate web application is deployed within a Amazon Virtual Private Cloud (Amazon VPC) and is connected to the corporate data centre via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an S3 keyspace specific to that user. Which approaches can fulfil these goals?
    1. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls AWS STS to assume that IAM role. The application cam use the temporary credentials to access the bucket.
    2. Develop an identity bucket that authenticates against LDAP and then calls AWS STS to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the bucket.
  16. Your organisation has hundreds of developers, testers and QA staff. You are about to begin using AWS on a large scale for the first time. You want to integrate with your existing identity management system running on Microsoft Active Directory. How should you manager your AWS identities in the simplest manner?
    1. Use a large AWS Directory Services AD Connector.
  17. You have a client whose application creates extremely sensitive data from user input. This data needs to be securely transmitted to a data store and requires end-to-end encryption with controlled access to the sensitive data. Which of the following options offer the most data protection while still making the data available to authenticated users?
    1. Upload the data to Amazon S3, and make sure the bucket has a policy to only allow put/get access if secure transport is enabled, using AES-256 SSE-S3 managed encryption keys.
  18. When using an encrypted file system to protect your data at rest, what steps are required to ensure that you protect your data and metadata in the most cost-effective and simple manner?
    1. Create an Amazon Elastic File System (Amazon EFS) using AWS KMS key encryption.
    2. Create an Amazon CloudWatch alarm to detect unencrypted file system.
  19. You have been tasked with creating a strategy to enforce encryption of your data in transit. What can you do to ensure that your data is protected in transit.
    1. Enable HTTPS listeners for your load balancers. Don’t allow non-protected ports in your load balancer security group.
  20. Your company needs to monitor active/realtime traffic (for full packet analysis and replay capture) within their AWS environment. They would like to do full packet analysis of traffic to/from specific EC2 instances. What is the easiest way to do this?
  21. AWS Certified Security – Specialty (SCS-C01) Sample Exam Questions
  22. An application running on an Amazon Elastic Compute Cloud (Amazon EC2) instance must use user credentials to access a database. The developer has stored those secrets in the AWS Systems Manager Parameter Store using the default AWS Key Management Service (AWS KMS) customer master key. Which steps allow the application to access the secrets via the API?  (Select TWO.) 
    1. Add permissions to read the Systems Manager parameter to the EC2 instance role.
    2. Add permission to use the AWS KMS key to decrypt to the EC2 instance role.
  23. A company is using AWS CloudTrail to log all AWS API activity for all Regions in all of its accounts. The chief information security officer has asked the team to take additional steps to protect the integrity of the log files. Which steps will protect the log files from unintentional changes? (Select TWO.)
    1. Create an Amazon S3 bucket in a dedicated log account and grant the other account write-only access. Deliver all log files from every account to the S3 bucket.
    2. Enable CloudTrail logs file integrity validation.
  24. A company requires that data stored in AWS be encrypted at rest. Which approaches best achieve this requirement? (Select TWO.)
    1. When storing data in Amazon EBS, encrypt the volume using AWS KMS.
    2. When storing data in Amazon S3, enable server-side encryption.
  25. A company is deploying a new web application on AWS. Based on the company’s other web applications, it anticipates being the target of frequent distributed denial of service (DDoS) attacks. Which steps can the company use to protect its application? (Select TWO.)
    1. Use an Application Load Balancer and an Auto Scaling group to scape and absorb application-layer traffic.
    2. Use Amazon CloudFront to prevent malicious traffic from reaching the application.
  26. A security engineer must ensure the monitoring of all infrastructure launched in the company AWS account for deviation from compliance rules. Specifically, the engineer must ensure that all EC2 instances launch from a specific list of Amazon Machine Images (AMIs) and that all attached Amazon EBS volumes are encrypted. The security engineer must terminate infrastructure that is not in compliance. What are the best solutions to ensure compliance rules are enforced? (Select TWO.)
    1. Trigger an AWS Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
    2. Monitor compliance with AWS Config rules triggered by configuration changes.
  27. A company currently has an Amazon S3 bucket hosted in an AWS account. The bucket holds information that a partner account needs to access. What are the most secure ways to allow the partner account to access the S3 bucket in the AWS account? (Select TWO.)
    1. Ensure that the partner users an external ID and then makes the request.
    2. Provide an Amazon Resource Name (ARN) for the role to the partner account.
  28. A company has mandated that all calls to the AWS KMS service be recorded. How can this task be achieved?
    1. Enable trails in AWS CloudTrail
  29. A company has enabled automatic key rotation for an existing customer master key (CMK) where the customer manages the backing key, when is the CMK rotated?
    1. After 1 year
  30. An AWS Lambda function reads metadata from an Amazon S3 object and stores the metadata in an Amazon DynamoDB table. Storing an object within the S3 bucket triggers the function. How should a company give the Lambda function access to the DynamoDB table?
    1. Create an IAM role with permissions to write to the DynamoDB table Associate the role with Lambda function.
  31. A company has an EC2 instance set up in a test environment in AWS. The developer installed the required application and then promoted the server to a production environment. The IT security team has advised that there may be traffic flowing in from an unknown IP address to port 22. How can the developer immediately mitigate this situation without impacting the application?
    1. Remove the rule for incoming traffic on port 22 for the security group.
  32. Each day, a security team must brief the chief information security officer with a report about which of hundreds of Amazon EC2 instances and on-premises servers lack the latest security patches. The security team must bring all instances and servers into compliance within 24 hours so they do not show up on the next day’s report. How can the security team fulfill these requirements?
    1. Use AWS Systems Manager Patch Manager to generate the report and install the missing patches on all instances and servers.
  33. A company is hosting a website that must be accessible to users for HTTPS traffic. Port 22 should be open for administrative purposes. Which security group configurations are the MOST secure but still functional to support these requirements? (Select TWO.)
    1. Port 443 coming from
    2. Port 22 coming from
  34. A company has defined a number of Amazon EC2 instances over a period of 6 months. The company wants to know if any of the security groups allow unrestricted access to a resource. Which option best accomplishes this requirement?
    1. Use AWS Trusted Advisor to see which security groups have compromised access.
  35. A company wants to have a secure way of generating, storing, and managing cryptographic keys. The company also wants to have exclusive access for the keys. Which option can the company use for this purpose?
    1. Use AWS CloudHSM
  36. Which AWS service manages authentication from social sign-in providers for mobile applications?
    1. AWS Cognito
  37. What can be used to troubleshoot network issues, including traffic going into and out of your instances?
    1. VPC Flow logs
  38. Which statements below correctly describe the AWS Global infrastructure? Select TWO.
    1. Availability Zones consist of one or more data centers.
    2. Regions have geographically dispersed Availability Zones.
  39. Which of the statements below provides an example of how AWS helps customers meet their security and compliance needs?
    1. AWS assists customers in integrating their existing control frameworks.
  40. Which statement below is performed by AWS as an example regarding security OF the cloud?
    1. Decommissioning storage devices according to NIST 800-88
  41. What type of AWS credentials is required to SSH directly into an Amazon EC2 instance?
    1. EC2 key pairs
  42. Which statement is true when describing your AWS account root user credentials?
    1. They provide unrestricted access to your AWS account resources.
  43. How can AWS CloudFormation be used in an incident response solution?
    1. Deploying pre-configured instances for forensics analysis
  44. Where can you find account activity information on API calls performed via the AWS Management Console or the AWS CLI?
    1. AWS CloudTrail logs
  45. Which AWS service feature helps secure your Amazon VPC resources by providing isolation at the instance level?
    1. Security groups
  46. Which AWS services below can be used in tandem to help protect against DDoS attacks? Select THREE.
    1. Amazon CloudFront
    2. Amazon Route 53
    3. AWS Shield
  47. Which feature helps secure your Amazon VPC resources by providing isolation at the subnet level?
    1. Network ACLs
  48. Which statement is true regarding the AWS Well-Architected Tool?
    1. It provides information on potential risks in your workload.
  49. Which statement is true regarding Amazon S3 default (SSE-S3) server-side encryption?
    1. Amazon S3 generates and manages the encryption keys.
  50. Which AWS services/features can be used to provide data protection at rest and in transit? Select THREE.
    1. AWS KMS
    2. AWS Certificate Manager
    3. VPN connectiity
  51. Your security team has been informed that one of your IAM username/passwords pairs has been published to social media and has been used several times by unauthorized sources. How can the security team stop the unauthorized access, and determine what actions were taken with the compromised account, with minimal impact on existing account resources?
    • Immediately change the IAM user password, and analyze CloudTrail logs for unauthorized actions. 
  52. An application running in EC2 has a requirement for independent, periodic security checks against the application code. These checks can send notifications upon warning, but for critical alerts they must shut down the application in the instance. How can your security team perform these checks without injecting code into the application, while meeting the notification and active response requirement?
    • Deploy a second application on the EC2 instance with the security audit code. Send security audit results to CloudWatch Events, and create a rule to send warning events to SNS, and critical events to SSM Run Command to stop the application. 
  53. You’ve been asked to stream application logs from CloudWatch Logs to Splunk. There is an existing subscription to filter on the log group, set up for kinesis Firehose to S3. What is the most appropriate way to ingest the logs in near real-time for Splunk analysis?
    • Enable Source record transformation on the Kinesis Firehose. Create a Lambda function using the Splunk blueprints which decompresses the log entries and pushes to Splunk.

AWS Notepad; Getting started on AWS, complete noob

AWS Notepad; Getting Getting started on AWS, complete noob

I passed a number of AWS certs, frankly they were a waste of my time, as they didn’t cover the basics of USING the software. There is no better way to gain experience than hands on software.

Here is some basic by vital bits that should be covered some where, but of course it isn’t very clear.

AWS Logging and Monitoring Design

AWS Logging and Monitoring Design

With practical and tangible Action plan – not just theoretical fluff ignored by hackers.

Firstly, as much as AWS want to advertise they are secure, enabling Logging Monitoring AWS is;

  1. Not straight forward
  2. Missing allot of information from AWS, which falls under your shared responsibility. (Public Cloud Security Get out of Jail Card.)
  3. There are so many ways skin the cat, but not real best practices.
  4. You need to be well aware of the service limits.
  5. AWS release new products that don’t exists anywhere else, so you have no idea, what can be abused/exploited and how to detect these threats. (Of course, no one is going to question a Behemoth. Because everyone wants to work for them! right.)
  6. They all ways advise you that the product is documented, but dont give you any advice on Business outcomes and gaps.
  7. Here is a HUGE example;
    1. AWS CloudWatch agents are used to OS Logs and metrics, but it does not integrate with AWS SecurityHub, so majority of our threat exposures isn’t covered by AWS security! So you need another solution to detect and correlate these threats. They offer a custom science experiment for you to develop your own SIEM. hahahah https://aws.amazon.com/blogs/security/how-to-monitor-and-visualize-failed-ssh-access-attempts-to-amazon-ec2-linux-instances/
  8. Check the AWS HCL – People also look at the features, but basic tenant of Solution Architecture is to check the HCL, hardware Compatibility List, this applies to AWS, where you need to check what is not supported.
    1. CloudTrail Unsupported Services https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-unsupported-aws-services.html
  1. The AWS documentation is vague at best and as the, just plagiarising existing information on just gives zero insights or advice.
  2. AWS encourage customer to build bespoke AWS solutions to keep you locked in without considering any business requirements. e.g. https://aws.amazon.com/solutions/implementations/centralized-logging/
  3. AWS (complementary and additive) native Architecture.
    1. AWS forces you to use all of they services for single requirement, making Bezo a Trillionaire . It’s a nonsensical intricate web, where no one has a farking clue what is going on. Look at this as a example from SecurityHub FAQ;
    1. https://docs.aws.amazon.com/securityhub/latest/userguide/control-finding-list.html
    2. Q: Will Security Hub replace the consoles of our other security services, such as Amazon GuardDuty, Amazon Inspector, or Amazon Macie?
    3. No. Security Hub is complementary and additive to the AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialised features available within each security service.
    4. CloudTail can also send logs into CloudWatch Logs, (i have no clue what you would need to do that.. )
    5. Also, another one, DNS Traffic is not captured in VPC Flow logs and VPC Flow logs are not real-time and also does not support some instance types –
      1. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html
      2. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
      3. You can’t modify a Flow Log’s configuration parameters once it is created. Instead, you have to delete it and create a new log. That’s not difficult, but it’s a bit annoying from a usability perspective.
    6. Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. This makes Flow Logs less useful in configurations involving multiple IPs on a single interface.
    7. Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity. (Traffic for a non-Amazon DNS server is logged.) In many cases, this may not matter, but it is a limitation if you need to troubleshoot an issue with your site related to DHCP or DNS. For example, you may be experiencing poor performance due to slow DNS resolution. There are also valuable security insights that you can glean from DHCP and DNS traffic, such as detecting packet sniffing attempts by looking for unusual rates of IP conflicts, usage of the same MAC address by multiple hosts or the sharing of DNS records by machines with the same IP address.
  1. Here
YOU WANT THE TRUTH? YOU CAN'T HANDLE THE TRUTH! | Jack Nicholson - You  can't handle the truth! | Keto quote, Best movie lines, Jack nicholson

When exec decided to digitally transform into AWS, did they evaluate the cost of talent, AWS isn’t a single product, it is as of this writing 170 products that get upgrade and changed on a daily basis, did you assess this risk. Of course you didn’t. Oh, yeah don’t get me started on the Multi-Cloud stupidity.

This is why AWS is just so easy to master! And also super easy to secure! 🙂 🙂 🙂 🙂

“nobody got fired for buying ibm” old proverb, Now its Public Cloud!

Jeff Bezos could become world's first trillionaire by 2026

AWS Security Actionable Security Monitoring Plan

You should make sure you get a clear answer from AWS for the following questions;

  • So you’re logging, thats great… what are you detecting?
  • What is your best practice for sending logs into a central SIEM?
  • Can you list top use cases AWS cover/detect?

Threat Detection SOC Use cases;

Essentially, you need to log everything centrally (for investigations and compliance) and Threat detection. What are you logging and what can you detect. You should run a Red Team against this configuration to see what you can detect or not.

In terms of Security Operations perspective the following are the key Use cases required to support your Incident Response Plans;

  1. Threat Detection and Alerting.
  2. Governance and Compliance Reporting.
  3. Investigation Searches and Digital Forensics.

Cloud Control Plane vs Cloud Data Plane Concept

To establish baseline monitoring, security teams should gather and process the following:

  • Cloud control plane logs (such as AWS CloudTrail1 logs
  • Data Plane Workload OS/application logs
  • AWS Product (Access Logs)
  • Network flow logs for virtual private clouds (VPCs)
  • Inventory your threat landscape and exposure

Requirements for Threat Detection

  • Event Sources
  • Metrics
  • UpStream Security Monitoring
  • Detection Rules

Cloud Control Plane Logging

First, there’s the idea of a control plane. The control plane is the master controller (usually in the form of a master node) and includes API services, scheduling capabilities for containers and operational management tools/services. A master-level configuration database is also maintained in the control plane. In general, the control plane can be considered the brains of the Kubernetes infrastructure, and it needs to be very carefully protected.

Focus on the types of events that could be problematic to the environment. Examples include critical assets accessed or changed, identity policies modified, cryptographic keys deleted or changed, and so on.

Data Pane

AWS Product Access Logs

On top of the Control and Data plane, you need to consider the Access logs for specific AWS Products/Services. In terms of services such as AWS CloudFront, the access logs are not captured via the Control Plan, therefore, you need to capture; Access Logs, Account Activity, and Configuration;

AWS Detective

AWS Budget

Billing alarms—If you have a reasonable idea of a monthly billing range, you can break this down to define “checkpoints” that your bill should be at any given time. If these thresholds are crossed, you can be alerted and investigate the reason for the additional cost. Tools like AWS Budgets provide simple alerting and reporting for cloud billing.

  • These are key! If you have a reasonable idea of a monthly billing range, you can break this down to define “checkpoints” of what your bill should be at any given time. If these thresholds are crossed, a billing alarm could alert you and investigate what is causing the additional cost.
  • Resources and resource utilization—Cloud control plane logs from services like AWS CloudTrail can (and should) be heavily leveraged to monitor new, modified and deleted assets in the environment, as well as access to assets and service interaction in the cloud environment. These logs need to be integrated with a SIEM and/or cloud-native cloud monitoring solution like Amazon CloudWatch to build the appropriate triggers for alerting, as well as monitoring and reporting metrics as warranted. Some behavioral trending over time can also be assessed and reported through analytics tools like AWS Security Hub and Amazon GuardDuty, as well
  • https://console.aws.amazon.com/billing/home#/

Amazon CloudWatch filters

Identity and Access Management (IAM) and KMS

Monitor your user activity within the cloud. Admins, in particular, should be monitored carefully, because these accounts are prime targets for attackers. Any nonfederated user access should also be a high priority.

Network Security

VPC Flow Logs for your VPCs; they are not enabled by default.

Endpoint Security

AWS Inspector

AWS Config

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

However, AWS Config only collects information about EC2/VPC-related resources, not everything in your AWS account.

You should monitor changes to you AWS real estate and insure all changes are via ITIL Change Management and/or approved automation only.

Firstly, need to understand what AWS services and/or devices are in scope, then map them to your AWS native security logging into ArcSight SmartConnectors.

Click on Resource Groups next to the AWS Services in your aws console page, and select All Regions in region field and All Resources in the resources field. You will get the list of all the resources up and running in your AWS account. You can even tag them separately so you can check how much each resource is costing you.
If there is any other way, for example through AWS CLI, I am curious to know that.

  • Adding context—If logs can be “tagged” as originating from a specific ISP or CSP, that can help provide context on the use cases of the service. For example, logs from identity management services like AWS Identity and Access Management (IAM) have a specific user context, whereas events from Amazon EC2 may need additional details about workloads to provide the proper context for evaluation.
aws resourcegroupstaggingapi get-resources --region region_name
relationships.resourceId = 'vpc-#######'

What do you use, AWS SecurityHub, GuardDuty, CloudWatch, CloudTrail or EventHub.

Answer is all of these are complementary and additives services. So let’s example each of them and there primary use cases. So its best to begin with your use cases in terms of SOC operations and Threat Detection;

  1. Investigation and Search 
  2. Governance and Reporting
  3. Threat Detection and Alerts 

AWS GuardDuty vs CloudTrail vsSecurityHub vs CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors. You need to determine where you want to do Threat Detection and hold raw logs for long term retention and investigation.

Image for post
Image for post

Here is an overview;

AWS SecurityHub integrates with; https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html

  • AWS Firewall Manager
  • IAM Access Analyzer
  • Amazon GuardDuty
  • Amazon Inspect
  • Amazon Macie

AWS GuardDuty integrates with;


  • AWS CloudTrail Event Logs 
  • AWS CloudTrail Management Events 
  • AWS CloudTrail S3 Data Events 
  • VPC Flow Logs 
  • DNS logs

ArcSight SmartConnectors for SecurityHub supports;


  • GuardDuty Default
  • GuardDuty AWS_API_CALL
  • GuardDuty DNS_REQUEST
  • Resource Header ResourcesDetailsAwsEc2Instance 
  • ResourcesDetailsAwsIamAccessKey 
  • ResourcesDetailsAwsEc2NetworkInterface
  • ResourcesDetailsAwsEc2SecurityGroup 
  • ResourcesDetailsAwsIamRole 
  • ResourcesDetailsAwsKmsKey 
  • ResourcesDetailsAwsS3Bucket ResourcesDetailsAwsS3Object 
  • ResourcesDetailsAwsSnsTopic 
  • ResourcesDetailsAwsSqsQueue 
  • ResourcesDetailsAwsLambdaFunction 

ArcSight SmartConnector supports CloudTrail, S3 and CloudWatch, that maybe ingest logs from AWS native services. 

ArcSight SmartConnector for AWS

AWS GuardDuty, CloudTrail, SecurityHub and CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors. AWS (complementary and additive) native Architecture comes into play;


  • Control Plane     -> AWS GuardDurty -> AWS SecurityHub -> ArcSight SmartConnector -> ESM/Logger
  • Data Plane          -> AWS EC2 -> Windows (SYSMON/WEC/WEF) -> ArcSight SmartConnector -> ESM/Logger
  • Data Plane           -> AWS EC2 -> Linux (AuditD/Syslogs) -> ArcSight SmartConnector -> ESM/Logger

 ArcSight SmartConnector for WiNC (Windows Native Connector) – Recommended for Production Environments

This is where the AWS (complementary and additive) native Architecture comes into play; 

  1. AWS Firewall Manager à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub
  2. IAM Access Analyzer à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub

 IAM Access Analyzer à AWS SecurityHub à ArcSight SmartConnector

You can review the supported data sources here- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html

AWS IAM Access Analyzer supports ; 

ArcSight SmartConnector for AWS SecurityHub support for AWS (complementary and additive) native ArchitectureSo, supported data flow;

  1. AWS Firewall Manager à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub
  2. AWS Identity and Access Management roles -> IAM Access Analyzer à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub

You can review the supported data sources here- https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html

AWS GuardDuty, CloudTrail, SecurityHub and CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors.

AWS SecurityHub integrates with; https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html

  • AWS Firewall Manager
  • IAM Access Analyzer
  • Amazon GuardDuty
  • Amazon Inspect
  • Amazon Macie

AWS GuardDuty integrates with;


  • AWS CloudTrail Event Logs 
  • AWS CloudTrail Management Events 
  • AWS CloudTrail S3 Data Events 
  • VPC Flow Logs 
  • DNS logs

ArcSight SmartConnectors for SecurityHub supports;


  • GuardDuty Default
  • GuardDuty AWS_API_CALL
  • GuardDuty DNS_REQUEST
  • Resource Header ResourcesDetailsAwsEc2Instance 
  • ResourcesDetailsAwsIamAccessKey 
  • ResourcesDetailsAwsEc2NetworkInterface
  • ResourcesDetailsAwsEc2SecurityGroup 
  • ResourcesDetailsAwsIamRole 
  • ResourcesDetailsAwsKmsKey 
  • ResourcesDetailsAwsS3Bucket ResourcesDetailsAwsS3Object 
  • ResourcesDetailsAwsSnsTopic 
  • ResourcesDetailsAwsSqsQueue 
  • ResourcesDetailsAwsLambdaFunction

CloudTrail vs CloudWatch

  • CloudTrail is for API logging
  • CloudWatch is for Log data

ArcSight SmartConnector for CloudWatch supports CloudWatch events

ArcSight SmartConnector supports CloudTrail, S3 and CloudWatch, that maybe ingest logs from AWS native logging services. 

Threat Modelling and Applying Risk to AWS Services and Resources

You need to develop a Threat Model and apply some abuse cases, which is far beyond this blog, so lets just use ATT&CK to identify top risk and develop detection for them.

Using ATT&CK to Develop Baseline for TTP Monitoring

Attack PhaseTTP
Initial AccessDiscovering valid accounts to AWS account
PersistenceCreating new accounts
Defense EvasionEstablishing presences in unused / unsupported cloud regions. Continuing to leverage valid accounts.
Credential AccessQuerying an identify role with a cloud instance’s metadata API. Discovering credentials in files
DiscoveryCloud service discovery (through network visibility, interaction with other services, and so on.)
CollectionData from cloud storage objects (items in S3 buckets, for example.)
ExfiltrationOutbound data to cloud storage account elsewhere
Connectivity to unknown outbound source addresses
Using ATT&CK to Develop Baseline for TTP Monitoring

Mapping Detection/Response Controls to TTPs

Attack PhaseTTPAWS Detection
Initial AccessDiscovering valid accounts to cloud environments.AWS CloudTrail event: Account login via AWS CLI or AWS Management Console (IAM Account.)
PersistenceCreating new accounts.AWS CloudTrail event: New IAM account created.
Defense EvasionEstablishing a presence in unused/unsupported cloud regions.

Continuing to leverage valid accounts.

AWS CloudTrail event represented in Amazon GuardDuty or Amazon Detective: New API event in a previously unused region.

AWS CloudTrail event represented in Amazon GuardDuty or Amazon Detective: Account use in new region
Credential AccessQuerying an identity role with a cloud instance’s metadata API.

Discovery credentials in files.
AWS CloudTrail event represented in Amazon GuardDuty, third- party SIEM or Amazon Detective: Metadata service queried for new services and role permissions

AWS CloudTrail event: Account login via AWS CLI or AWS Management Console.
DiscoveryCloud services discovery (through network visibility, interaction with other services, and so on.)

System information discovery.
System network connection discovery.
CollectionData from cloud storage objects (items in S3 buckets, for example.)

Data from local systems
ExfiltrationOutbound data to a cloud storage account elsewhere.

AWS Use cases and Detection Rules

“eventTime”: “2017-01-20T18:53:02Z”, “eventSource”: “iam.amazonaws.com”, “eventName”: “DeactivateMFADevice”, “awsRegion”: “us-east-1”, “sourceIPAddress”: “”, “userAgent”: “signin.amazonaws.com”, “requestParameters”: {

“userName”: “dave”,
“serialNumber”: “arn:aws:iam::000012345678:mfa/dave” },
“responseElements”: null,
“requestID”: “d1a9ebf8-5fc8-11e5-9d8f-1bc7c6757e61”,

Suspicious AWS CloudTrail event that
indicates a cloud user trying to deactivate
an MFA device.

How to Improve Security Visibility and Detection/Response Operations in AWS

  • IAM activity (logins in particular)—Monitor your user activity within the cloud. In particular, monitor admins carefully, because these user credentials are prime targets for attackers. Any nonfederated user access should also be a high priority.

How to Improve Security Visibility and Detection/Response Operations in AWS

Priority 1
– Launching a workload that is not from an approved template
– Launching any containers from unapproved images in a repository
– Launching any assets in unapproved regions
– Modifying any IAM roles or policies
– Modifying or disabling cloud control plane logging or other security controls – Logins to the web console (unauthorized)

• Priority 2
– Unusual user behaviors (trying to access unauthorized resources, etc.) – Adding/updating new workload images
– Adding/updating new container images
– Logins to the web console (authorized)
– Updating/changing serverless configuration

• Priority 3
– Changes to security groups or network access control lists (ACLs) – Updating/changing serverless function code

How to Improve Security Visibility and Detection/Response Operations in AWS

able 1. Starting Points for Event Searches

AWS CloudTrail EventReason for Investigation
ConsoleLoginA user initiates console login activity.
StopLoggingA user tries to stop AWS CloudTrail.
CreateNetworkAclEntrySomeone creates a network ACL, which could expose attack surfaces or vectors.
CreateRouteSomeone creates a new route for data path control, which could expose attack surfaces or vectors.
AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress RevokeSecurityGroupEgress RevokeSecurityGroupIngressMonitor all changes to security groups.
ApplySecurityGroupsToLoadBalancer SetSecurityGroupsSecurity group changes that tie to elastic load balancers are interesting, often in scaling operations. This may indicate unusual traffic surges in the environment.
AuthorizeDBSecurityGroupIngress CreateDBSecurityGroup DeleteDBSecurityGroup RevokeDBSecurityGroupIngressAmazon RDS instances have a different nomenclature for security groups, but are the same thing conceptually. Security teams should monitor such instances.

Starting Points for Event Searches

How to Improve Security Visibility and Detection/Response Operations in AWS

AWS Lambda EventReason for Monitoring
DeleteEventSourceMappingSomeone could delete the data source that triggers an AWS Lambda function, making it “blind.”
DeleteFunctionA function could be deleted purposefully or accidentally, leading to security issues.
RemovePermissionThis could lead to a lockout scenario or lack of access when needed (think IAM service account or role access to AWS Lambda).
UpdateEventSourceMappingData could be pulled from a different source, leading to incorrect function results.
UpdateFunctionCodeThe function could be broken or tampered with to prevent security-specific functionality from executing (for example, by adding comments).
UpdateFunctionConfigurationThe configuration of the function could be changed to limit its resources, causing poor or flawed execution.
Events for Immediate Monitoring

AWS Security Best Practices Check list

  1. Setup AWS Budget alerts
  2. Setup Root Security challenge questions
  3. Setup Password policy
  4. Deactivate Regions not required
  5. Document and monitor your access keys and deactivate and cycle
  6. Enable root IAM and MFA
  7. Update your Incident Response Plan and Digital Forensics Investigation to accommodate AWS
  8. Enable MFA for AWS Root account
  9. Secure KMS keys
  10. Enable Amazon VPC Flow logs for your VPCs; they are not enabled by default.
  11. Uses AWS Nitro EC2 instance can mirror traffic from any EC2 instance (A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d).
  12. Ultizing default DNS services as it is intergrated with CloudTrail and GuardDuty, if you using a 3rd party for DNS, you need to make sure you can monitor that and correlate that within your SIEM.. e.g. Cisco Umercal support by ArcSight SmartConnector
  13. Outbound IP address alerting
  14. Deploy Cloud Watch agents as part of your SOE – https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/install-CloudWatch-Agent-on-EC2-Instance.html

Understanding Digital Forensics inside AWS

CapabilityAWS ServicesDigital Forencics
ComputeAmazon Elastic Cloud Compute (EC2)Uses Amazon Machine Images (AMIs) to get started
Multiple OS support Pay for what you use
Next-gen Nitro infrastructure, created by AWS
Amazon Elastic Block Store (EBS), Amazon Simple Storage Service (S3), Amazon Elastic File System (EFS)

Amazon S3 offers multiple storage classes for multiple
use cases. Amazon EBS is used for the “block device” or hard drive for Amazon EC2 instances. Amazon EFS is used for file sharing storage with two storage classes to choose from.
Amazon VPC Flow Logs, Amazon VPC Traffic Mirroring

Capture information of network traffic going in and out of a VPC
AWS CloudTrail

User attribution data
Log integrity can be enabled
Can send data to an Amazon S3 bucket for storage/archival
AWS Digital Forensics


  1. Create a security group that does not allow outbound traffic
  2. Attach to compromised Amazon EC2 instance
  3. Take snapshot of Amazon EC2 instance
  4. Perform memory acquisition, if possible
  5. Share snapshot with Security Account (if using one)
  6. Create volume from snapshot
  7. Attach volume to SIFT EC2 instance
  8. Conduct forensics

Digital Forensic Analysis of Amazon Linux EC2 Instances; https://www.sans.org/reading-room/whitepapers/cloud/digital-forensic-analysis-amazon-linux-ec2-instances-38235


How to Perform a Security Investigation in AWS A SANS Whitepaper

  • Username—Search by the user’s name
  • Event name—Search by a specific API call (e.g., DeleteTrail)
  • Resource type—Search by an AWS service type (e.g., Amazon EC2 instance)
  • Resource name—Search by a resource name (e.g., instance ID, ENI)
  • Event source—Search results from specific AWS services
  • Event ID—Search based on a unique ID for an AWS CloudTrail event
  • AWS access key—Search by access key to show what was done in a single session
AWS CloudTrail Event Example

VPC Flows


Structure of a VPC Flow Log

SOAR Use Cases

How to Improve Security Visibility and Detection/Response Operations in AWS

  • Initial investigation and threat hunting—Analysts need to quickly find evidence of compromise or unusual activity, and often need to do so at scale.
  • Opening and updating incident tickets/cases—Due to improved integration with ticketing systems, event management and monitoring tools used by response teams can often generate tickets to the right team members and update these as evidence comes in.
  • Producing reports and metrics—Once evidence has been collected and cases are underway or resolved, generating reports and metrics can take a lot of analysts’ time.

How to Improve Security Visibility and Detection/Response Operations in AWS

  1. Automated DNS lookups of domain names never seen before • Automated searches for detected indicators of compromise • Automated forensic imaging of disk and memory from a suspect system, driven by alerts triggered in network- and host-based anti-malware platforms and tools • Network access controls automatically blocking outbound command and control (C2) channels from a suspected system

AWS Athena CloudTrail search script examples

CREATE EXTERNAL TABLE cloudtrail_logs (
eventversion STRING,
useridentity STRUCT<
eventtime STRING,
eventsource STRING,
eventname STRING,
awsregion STRING,
sourceipaddress STRING,
useragent STRING,
errorcode STRING,
errormessage STRING,
requestparameters STRING,
responseelements STRING,
additionaleventdata STRING,
requestid STRING,
eventid STRING,
resources ARRAY<STRUCT<
eventtype STRING,
apiversion STRING,
readonly STRING,
recipientaccountid STRING,
serviceeventdetails STRING,
sharedeventid STRING,
vpcendpointid STRING
ROW FORMAT SERDE 'com.amazon.emr.hive.serde.CloudTrailSerde'
STORED AS INPUTFORMAT 'com.amazon.emr.cloudtrail.CloudTrailInputFormat'
OUTPUTFORMAT 'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION 's3://mycloudtrailbucket-faye/AWSLogs/757250003982/';
FROM cloudtrail_logs
LIMIT 100;




GetLogEvents support 10 requests per second per account per Region
· Each request has a limit of 1MB to 10000MB(10GB)
· 1MB equals around 10,000 log events, so upto 100million log events per request.
· Hence, with 10 requests per second it will capture upto 1 trillion log events per second.


GetLogEvents 10 requests per second per account per Region. This limit cannot be changed. We recommend subscriptions if you are continuously processing new data. If you need historical data, we recommend exporting your data to Amazon S3.

Amazon Web Services – security best practice rules

Amazon Web Services best practice rules

Design Principles


  • Implement a strong identity foundation
    • Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.
  • Enable traceability
    • Monitor, alert, and audit actions and changes to your environment in real time. Integrate logs and metrics with systems to automatically respond and take action.
  • Apply security at all layers
    • Rather than just focusing on protection of a single outer layer, apply a defense-in-depth approach with other security controls.
  • Automate security best practice
    • Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively. Implement controls that are defined and managed as code in version-controlled templates.
  • Protect data in transit and at rest
    • Classify your data into sensitivity levels and where appropriate, use mechanisms like encryption and access control.

  • Enforce the principle of least privileg
    • Access to data should only be granted to the people who really need that access. Start with denying access to everything and grant access as needed.
  • Prepare for security event
    • Prepare for an incident by having an incident management process that aligns to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.


AWS Security Tools

  • Cloudwatch
  • CloudTrail
  • Shield
  • Inspector
  • Trusted Advisor
  • KMS
  • IAM – Policy – (Explicit Deny Rights)
  • Artifacts
  • AIM logging
  • Well architect Best practice
  •  GuardDuty

Cloud Conformity covers the AWS services below according to these rules

Amazon FSx

AWS Exploits

Top Threats to Cloud Computing The Egregious 11

AWS Security Information