The root user’s email address can’t be reused if you close an account.
Use Plus email addressing [email protected] Plus addressing means any email sent to [email protected] is still sent to your account. This means you can have a lot of variations on your email address to give out to different people, sites, or mailing lists. https://www.fastmail.help/hc/en-us/articles/360060591053-Plus-addressing-and-subdomain-addressing#:~:text=Plus%20addressing%20means%20any%20email,%2C%20sites%2C%20or%20mailing%20lists.
Maintained the list of addresses in an excel spreadsheet, never even bothered doing the PW recovery, as when you generate an account via org, it only asks for the email address, in order to retrieve the pw you have to do forgot your pw process.
This blog is mainly a list of Tools to expose and test entry points into AWS, Azure and GCP. My next goal is to implement these tools and develop some youtube videos. Then after that develop actual detection and mitigation strategies.
AWS Security Tools
AWS – Easy to get started, changes daily, difficult to secure and harder to know if you are “doing it right’. AWS has 1000s of APIs, are you confident there are all secure? Have a good nights sleep.
AWS innovates really quickly. AWS send out a lot of new features that continually change the game in terms of how a central security team can approach security, monitor security, or author their permissions. Keeping up with all of this game-changing information is really, really hard. I follow Twitter and the What’s New announcements for up to date information, and of course the AWS Security Blog; https://twitter.com/awssecurityinfo?lang=en
Example Corp requires access to certain resources in your AWS account. But in addition to you, Example Corp has other customers and needs a way to access each customer’s AWS resources. Instead of asking its customers for their AWS account access keys, which are secrets that should never be shared, Example Corp requests a role ARN from each customer. But another Example Corp customer might be able to guess or obtain your role ARN. That customer could then use your role ARN to gain access to your AWS resources by way of Example Corp. This form of permission escalation is known as the confused deputy problem.
Limiting instance metadata service access You can consider using local firewall rules to disable access from some or all processes to the instance metadata service.
Pacu is an open source AWS exploitation toolkit written by Rhino Security Labs. It was built to aid penetration testers in attacking AWS environments; so, now we will quickly install and set up Pacu to automate these attacks that we have been trying.
What is required trust relationship for Active Directory and AWS SSO?
ADFS is trusted ID provider in AWS
AWS is a trusted replying party in ADFS
In a VPC, all subnets are routed by default, But, how can you prevent network traffic between them?
ACLs and Security Groups.
Remove the default routes.
ACLS and IAM Polices.
Answer: ACLs and Security Groups.
Your company is serving content through a CloudFront distribution. Your IR team wishes to review data to identify possible indicators of compromise or anomalous events. In particular they are looking for source IP address, the original request, the referrer and protocol information. Where should they look for this data?
CloudFront access logs for the distribution.
You need to create a logging strategy for your company’s accounts. The logging data must be kept securely and be readily usable for 90 days. After 90 days, the logs probably will not be required, but must still be retained for compliance for 10 years. What solutions ensures that your logs are securely retained for the entirety of the required duration in the most cost-effective manner?
Send all logs to central logging account S3 bucket. Ensure that the bucket is protected with a bucket policy that only allows read access to security admins, denying all other access. Create a lifecycle policy that automatically moves the data to Amazon S3 Glacier after 90 days, and then automatically deletes the logs after 10 years.
Your company has created a centralised logging account where all AWS CloudWatch and AWS CloudTrail logs are delivered. You’ve created a new account using AWS CloudFormation. In this account, you’ve built a Lambda function to stream the generated logs and send them to your logging account’s S3 bucket. When completing a test run of your Lambda function, a 403 error is returned. What change will quickly resolve this issues without sacrificing security best practices?
Change you permissions statement on the Lambda function to allow access to the logging account S3 Bucket.
A recent security review discovered that your company’s ecommerce site accepts an SSL session with a non-compliant cipher. You must prevent this specific cipher from being used to secure a client’s session when communicating to and from the elastic load balancer. What steps should you take?
Create a customer security policy, without the cipher included. Apply the policy to the identified ELB from the security scan.
You are responding to a DDoS attack on your company’s application. The application is composed of a dynamic website running on EC2 instances behind a CloudFormation distribution. The attack is being launched from a large number of IP address across many different countries. The attack is targeting valid URI, but seems to have a common misspelling in the query string that were passed. What quick solution could you implement to block this attack?
Write a AWS WAF ACL matching the misspelled query string. attack it to an AWS WAF rule to deny and associate this AWS WAF rule with the application CloudFront distribution.
Your company has public-facing three-tiered application that uses an ALB in the front of the presentation layer and a second ALB connecting the presentation layer to the application layer. The application is being targeted by a variant of a sophisticated SQL injection attack. The attacks are coming from blocks of IP addresses that are in use by existing legitimate customers. What is the easiest way to protect your applications?
Block the attack by implementing AWS WAF and use rules that look for SQL injection.
Your company, BigBank, has set up automated penetrating testing and vulnerability analysis from servers under their control (on EC2 instances). This is working well, buy you notice that it is causing excessive numbers of alarms in Amazon GuardDuty. What is the simplest way to hide these false positives?
Allocate an elastic IP address for the EC2 instances and then update the trusted IP address list in GuardDuty.
You are building a mobile app for consumers to post images online. You will be storing the images in Amazon S3. You want to implement user authentication cheaply and simply. Which one if these options allows you to build a photo-sharing application that meets costs and effort requirements?
Build the application using AWS Cognito and web identity federation to allow users to login using Facebook or Google accounts. Once they are logged, the the secret token paused to that user is used to directly access resources on AWS like Amazon S3.
You are the security architect at BigPharma and you are concerned about infrastructure security for EC2 instances. In particular, you known that your company developers will want to make API requests from those instances. What should you recommend as a best practice?
Developers should use IAM roles to grant permissions to EC2 instances. Thy should create multiple re-usable roles and assign the one that matches the least privileges required.
You are the security administrator at BigPhoneCompany, the national telecommunication carrier. You want to be able to automate isolation of specific instances in several public subnets that contain EC2 instances. What is the simplest way to do this?
Create a Lambda function that modifies the security group to block inbound traffic.
A corporate web application is deployed within a Amazon Virtual Private Cloud (Amazon VPC) and is connected to the corporate data centre via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an S3 keyspace specific to that user. Which approaches can fulfil these goals?
The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls AWS STS to assume that IAM role. The application cam use the temporary credentials to access the bucket.
Develop an identity bucket that authenticates against LDAP and then calls AWS STS to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the bucket.
Your organisation has hundreds of developers, testers and QA staff. You are about to begin using AWS on a large scale for the first time. You want to integrate with your existing identity management system running on Microsoft Active Directory. How should you manager your AWS identities in the simplest manner?
Use a large AWS Directory Services AD Connector.
You have a client whose application creates extremely sensitive data from user input. This data needs to be securely transmitted to a data store and requires end-to-end encryption with controlled access to the sensitive data. Which of the following options offer the most data protection while still making the data available to authenticated users?
Upload the data to Amazon S3, and make sure the bucket has a policy to only allow put/get access if secure transport is enabled, using AES-256 SSE-S3 managed encryption keys.
When using an encrypted file system to protect your data at rest, what steps are required to ensure that you protect your data and metadata in the most cost-effective and simple manner?
Create an Amazon Elastic File System (Amazon EFS) using AWS KMS key encryption.
Create an Amazon CloudWatch alarm to detect unencrypted file system.
You have been tasked with creating a strategy to enforce encryption of your data in transit. What can you do to ensure that your data is protected in transit.
Enable HTTPS listeners for your load balancers. Don’t allow non-protected ports in your load balancer security group.
Your company needs to monitor active/realtime traffic (for full packet analysis and replay capture) within their AWS environment. They would like to do full packet analysis of traffic to/from specific EC2 instances. What is the easiest way to do this?
Use an AMI from AWS Marketplace that supports packet capture and route tables to direct traffic through it.
An application running on an Amazon Elastic Compute Cloud (Amazon EC2) instance must use user credentials to access a database. The developer has stored those secrets in the AWS Systems Manager Parameter Store using the default AWS Key Management Service (AWS KMS) customer master key. Which steps allow the application to access the secrets via the API? (Select TWO.)
Add permissions to read the Systems Manager parameter to the EC2 instance role.
Add permission to use the AWS KMS key to decrypt to the EC2 instance role.
A company is using AWS CloudTrail to log all AWS API activity for all Regions in all of its accounts. The chief information security officer has asked the team to take additional steps to protect the integrity of the log files. Which steps will protect the log files from unintentional changes? (Select TWO.)
Create an Amazon S3 bucket in a dedicated log account and grant the other account write-only access. Deliver all log files from every account to the S3 bucket.
Enable CloudTrail logs file integrity validation.
A company requires that data stored in AWS be encrypted at rest. Which approaches best achieve this requirement? (Select TWO.)
When storing data in Amazon EBS, encrypt the volume using AWS KMS.
When storing data in Amazon S3, enable server-side encryption.
A company is deploying a new web application on AWS. Based on the company’s other web applications, it anticipates being the target of frequent distributed denial of service (DDoS) attacks. Which steps can the company use to protect its application? (Select TWO.)
Use an Application Load Balancer and an Auto Scaling group to scape and absorb application-layer traffic.
Use Amazon CloudFront to prevent malicious traffic from reaching the application.
A security engineer must ensure the monitoring of all infrastructure launched in the company AWS account for deviation from compliance rules. Specifically, the engineer must ensure that all EC2 instances launch from a specific list of Amazon Machine Images (AMIs) and that all attached Amazon EBS volumes are encrypted. The security engineer must terminate infrastructure that is not in compliance. What are the best solutions to ensure compliance rules are enforced? (Select TWO.)
Trigger an AWS Lambda function from a scheduled CloudWatch event that terminates non-compliant infrastructure.
Monitor compliance with AWS Config rules triggered by configuration changes.
A company currently has an Amazon S3 bucket hosted in an AWS account. The bucket holds information that a partner account needs to access. What are the most secure ways to allow the partner account to access the S3 bucket in the AWS account? (Select TWO.)
Ensure that the partner users an external ID and then makes the request.
Provide an Amazon Resource Name (ARN) for the role to the partner account.
A company has mandated that all calls to the AWS KMS service be recorded. How can this task be achieved?
Enable trails in AWS CloudTrail
A company has enabled automatic key rotation for an existing customer master key (CMK) where the customer manages the backing key, when is the CMK rotated?
After 1 year
An AWS Lambda function reads metadata from an Amazon S3 object and stores the metadata in an Amazon DynamoDB table. Storing an object within the S3 bucket triggers the function. How should a company give the Lambda function access to the DynamoDB table?
Create an IAM role with permissions to write to the DynamoDB table Associate the role with Lambda function.
A company has an EC2 instance set up in a test environment in AWS. The developer installed the required application and then promoted the server to a production environment. The IT security team has advised that there may be traffic flowing in from an unknown IP address to port 22. How can the developer immediately mitigate this situation without impacting the application?
Remove the rule for incoming traffic on port 22 for the security group.
Each day, a security team must brief the chief information security officer with a report about which of hundreds of Amazon EC2 instances and on-premises servers lack the latest security patches. The security team must bring all instances and servers into compliance within 24 hours so they do not show up on the next day’s report. How can the security team fulfill these requirements?
Use AWS Systems Manager Patch Manager to generate the report and install the missing patches on all instances and servers.
A company is hosting a website that must be accessible to users for HTTPS traffic. Port 22 should be open for administrative purposes. Which security group configurations are the MOST secure but still functional to support these requirements? (Select TWO.)
Port 443 coming from 0.0.0.0/0
Port 22 coming from 10.0.0.0/16
A company has defined a number of Amazon EC2 instances over a period of 6 months. The company wants to know if any of the security groups allow unrestricted access to a resource. Which option best accomplishes this requirement?
Use AWS Trusted Advisor to see which security groups have compromised access.
A company wants to have a secure way of generating, storing, and managing cryptographic keys. The company also wants to have exclusive access for the keys. Which option can the company use for this purpose?
Use AWS CloudHSM
Which AWS service manages authentication from social sign-in providers for mobile applications?
AWS Cognito
What can be used to troubleshoot network issues, including traffic going into and out of your instances?
VPC Flow logs
Which statements below correctly describe the AWS Global infrastructure? Select TWO.
Availability Zones consist of one or more data centers.
Regions have geographically dispersed Availability Zones.
Which of the statements below provides an example of how AWS helps customers meet their security and compliance needs?
AWS assists customers in integrating their existing control frameworks.
Which statement below is performed by AWS as an example regarding security OF the cloud?
Decommissioning storage devices according to NIST 800-88
What type of AWS credentials is required to SSH directly into an Amazon EC2 instance?
EC2 key pairs
Which statement is true when describing your AWS account root user credentials?
They provide unrestricted access to your AWS account resources.
How can AWS CloudFormation be used in an incident response solution?
Deploying pre-configured instances for forensics analysis
Where can you find account activity information on API calls performed via the AWS Management Console or the AWS CLI?
AWS CloudTrail logs
Which AWS service feature helps secure your Amazon VPC resources by providing isolation at the instance level?
Security groups
Which AWS services below can be used in tandem to help protect against DDoS attacks? Select THREE.
Amazon CloudFront
Amazon Route 53
AWS Shield
Which feature helps secure your Amazon VPC resources by providing isolation at the subnet level?
Network ACLs
Which statement is true regarding the AWS Well-Architected Tool?
It provides information on potential risks in your workload.
Which statement is true regarding Amazon S3 default (SSE-S3) server-side encryption?
Amazon S3 generates and manages the encryption keys.
Which AWS services/features can be used to provide data protection at rest and in transit? Select THREE.
AWS KMS
AWS Certificate Manager
VPN connectiity
Your security team has been informed that one of your IAM username/passwords pairs has been published to social media and has been used several times by unauthorized sources. How can the security team stop the unauthorized access, and determine what actions were taken with the compromised account, with minimal impact on existing account resources?
Immediately change the IAM user password, and analyze CloudTrail logs for unauthorized actions.
An application running in EC2 has a requirement for independent, periodic security checks against the application code. These checks can send notifications upon warning, but for critical alerts they must shut down the application in the instance. How can your security team perform these checks without injecting code into the application, while meeting the notification and active response requirement?
Deploy a second application on the EC2 instance with the security audit code. Send security audit results to CloudWatch Events, and create a rule to send warning events to SNS, and critical events to SSM Run Command to stop the application.
You’ve been asked to stream application logs from CloudWatch Logs to Splunk. There is an existing subscription to filter on the log group, set up for kinesis Firehose to S3. What is the most appropriate way to ingest the logs in near real-time for Splunk analysis?
Enable Source record transformation on the Kinesis Firehose. Create a Lambda function using the Splunk blueprints which decompresses the log entries and pushes to Splunk.
AWS Notepad; Getting Getting started on AWS, complete noob
I passed a number of AWS certs, frankly they were a waste of my time, as they didn’t cover the basics of USING the software. There is no better way to gain experience than hands on software.
Here is some basic by vital bits that should be covered some where, but of course it isn’t very clear.
Create a few account, this is your root master account, straight away you need to do few things.
Setup billing budgets, to make sure you don’t accidentally exceed your usage.
Setup your mobile phone with access to the AWS Console, that way you can quickly shutdown VMs if you left them on.
setup MFA for your ROOT user.
Create a IAM account with permissions and then use the IAM to do stuff instead of the root user.
Deactivate regions not required
AWS Default networking
Your default AWS account, will have existing; VPC, Subnets, Security Groups and Internet gateways all configured. If you delete them, it’s just going to make your life difficult, so keep them. You can also ways re-create them, via support if needed. But, just keep them.
On the Top Right, you can select the Regions, you want to build in. Make sure you save the AWS Console to corresponding region.
e.g. https://ap-southeast-2.console.aws.amazon.com/
Each Region will have defaults
Default VPC per Region
Default Subnet per Physical DC, called Availability Zone.
Default Security Group
Route Table
Default Internet Gateway, provides Ingress and Egress internet access for attached VPC
Default Network ACL for the VPC
Creating seperate Tenants under same billing account; AWS has a bit of a limit, where each tenant is self contained and you really cant create complete separation for a environment or multiple -tenant with account, the only options is with using AWS Organisations;
Setup Billing Tenant with your payment options
Create AWS Organisations
Create a seperate AWS Account with another different email address.
Invite other AWS accounts into AWS organisations and setup Service Control Policies.
This way you can have Prod, DR, Test and Dev AWS accounts which are completely seperate but still under control from a AWS Organisations.
This still is crap IMO, It would be better if you can create multiple account using the same email address
With practical and tangible Action plan – not just theoretical fluff ignored by hackers.
Firstly, as much as AWS want to advertise they are secure, enabling Logging Monitoring AWS is;
Not straight forward
Missing allot of information from AWS, which falls under your shared responsibility. (Public Cloud Security Get out of Jail Card.)
There are so many ways skin the cat, but not real best practices.
You need to be well aware of the service limits.
AWS release new products that don’t exists anywhere else, so you have no idea, what can be abused/exploited and how to detect these threats. (Of course, no one is going to question a Behemoth. Because everyone wants to work for them! right.)
They all ways advise you that the product is documented, but dont give you any advice on Business outcomes and gaps.
Check the AWS HCL – People also look at the features, but basic tenant of Solution Architecture is to check the HCL, hardware Compatibility List, this applies to AWS, where you need to check what is not supported.
AWS (complementary and additive) native Architecture.
AWS forces you to use all of they services for single requirement, making Bezo a Trillionaire . It’s a nonsensical intricate web, where no one has a farking clue what is going on. Look at this as a example from SecurityHub FAQ;
Q: Will Security Hub replace the consoles of our other security services, such as Amazon GuardDuty, Amazon Inspector, or Amazon Macie?
No. Security Hub is complementary and additive to the AWS security services. In fact, Security Hub will link back into the other consoles to help you gain additional context. Security Hub does not replicate the setup, configuration, or specialised features available within each security service.
CloudTail can also send logs into CloudWatch Logs, (i have no clue what you would need to do that.. )
Also, another one, DNS Traffic is not captured in VPC Flow logs and VPC Flow logs are not real-time and also does not support some instance types –
You can’t modify a Flow Log’s configuration parameters once it is created. Instead, you have to delete it and create a new log. That’s not difficult, but it’s a bit annoying from a usability perspective.
Network interfaces with multiple IP addresses will have data logged only for the primary IP as the destination address. This makes Flow Logs less useful in configurations involving multiple IPs on a single interface.
Flow Logs exclude traffic related to DHCP requests and Amazon DNS activity. (Traffic for a non-Amazon DNS server is logged.) In many cases, this may not matter, but it is a limitation if you need to troubleshoot an issue with your site related to DHCP or DNS. For example, you may be experiencing poor performance due to slow DNS resolution. There are also valuable security insights that you can glean from DHCP and DNS traffic, such as detecting packet sniffing attempts by looking for unusual rates of IP conflicts, usage of the same MAC address by multiple hosts or the sharing of DNS records by machines with the same IP address.
Here
When exec decided to digitally transform into AWS, did they evaluate the cost of talent, AWS isn’t a single product, it is as of this writing 170 products that get upgrade and changed on a daily basis, did you assess this risk. Of course you didn’t. Oh, yeah don’t get me started on the Multi-Cloud stupidity.
This is why AWS is just so easy to master! And also super easy to secure! 🙂 🙂 🙂 🙂
“nobody got fired for buying ibm” old proverb, Now its Public Cloud!
AWS Security Actionable Security Monitoring Plan
You should make sure you get a clear answer from AWS for the following questions;
So you’re logging, thats great… what are you detecting?
What is your best practice for sending logs into a central SIEM?
Can you list top use cases AWS cover/detect?
Threat Detection SOC Use cases;
Essentially, you need to log everything centrally (for investigations and compliance) and Threat detection. What are you logging and what can you detect. You should run a Red Team against this configuration to see what you can detect or not.
In terms of Security Operations perspective the following are the key Use cases required to support your Incident Response Plans;
Threat Detection and Alerting.
Governance and Compliance Reporting.
Investigation Searches and Digital Forensics.
Cloud Control Plane vs Cloud Data Plane Concept
To establish baseline monitoring, security teams should gather and process the following:
Cloud control plane logs (such as AWS CloudTrail1 logs
Data Plane Workload OS/application logs
AWS Product (Access Logs)
Network flow logs for virtual private clouds (VPCs)
Inventory your threat landscape and exposure
Requirements for Threat Detection
Event Sources
Metrics
UpStream Security Monitoring
Detection Rules
Cloud Control Plane Logging
First, there’s the idea of a control plane. The control plane is the master controller (usually in the form of a master node) and includes API services, scheduling capabilities for containers and operational management tools/services. A master-level configuration database is also maintained in the control plane. In general, the control plane can be considered the brains of the Kubernetes infrastructure, and it needs to be very carefully protected.
Focus on the types of events that could be problematic to the environment. Examples include critical assets accessed or changed, identity policies modified, cryptographic keys deleted or changed, and so on.
Data Pane
AWS Product Access Logs
On top of the Control and Data plane, you need to consider the Access logs for specific AWS Products/Services. In terms of services such as AWS CloudFront, the access logs are not captured via the Control Plan, therefore, you need to capture; Access Logs, Account Activity, and Configuration;
AWS Detective
AWS Budget
Billing alarms—If you have a reasonable idea of a monthly billing range, you can break this down to define “checkpoints” that your bill should be at any given time. If these thresholds are crossed, you can be alerted and investigate the reason for the additional cost. Tools like AWS Budgets provide simple alerting and reporting for cloud billing.
These are key! If you have a reasonable idea of a monthly billing range, you can break this down to define “checkpoints” of what your bill should be at any given time. If these thresholds are crossed, a billing alarm could alert you and investigate what is causing the additional cost.
Resources and resource utilization—Cloud control plane logs from services like AWS CloudTrail can (and should) be heavily leveraged to monitor new, modified and deleted assets in the environment, as well as access to assets and service interaction in the cloud environment. These logs need to be integrated with a SIEM and/or cloud-native cloud monitoring solution like Amazon CloudWatch to build the appropriate triggers for alerting, as well as monitoring and reporting metrics as warranted. Some behavioral trending over time can also be assessed and reported through analytics tools like AWS Security Hub and Amazon GuardDuty, as well
https://console.aws.amazon.com/billing/home#/
Amazon CloudWatch filters
Activity in specific regions—One of the best quick wins for security teams is to purposefully disable all geographic regions not in use; a follow-up to this is enabling explicit monitoring for cloud control plane logs (like AWS CloudTrail) to look for any activity in regions marked as “not in use” or “disabled.” A common tactic intruders use for malicious activities like cryptocurrency mining is to create unauthorized assets and workloads in unused regions to “buy time” before detection. Teams should consider any alert for activity in an unauthorized or unused region a high priority.
Monitor your user activity within the cloud. Admins, in particular, should be monitored carefully, because these accounts are prime targets for attackers. Any nonfederated user access should also be a high priority.
Network Security
VPC Flow Logs for your VPCs; they are not enabled by default.
Endpoint Security
AWS Inspector
AWS Config
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
However, AWS Config only collects information about EC2/VPC-related resources, not everything in your AWS account.
You should monitor changes to you AWS real estate and insure all changes are via ITIL Change Management and/or approved automation only.
Firstly, need to understand what AWS services and/or devices are in scope, then map them to your AWS native security logging into ArcSight SmartConnectors.
Click on Resource Groups next to the AWS Services in your aws console page, and select All Regions in region field and All Resources in the resources field. You will get the list of all the resources up and running in your AWS account. You can even tag them separately so you can check how much each resource is costing you. If there is any other way, for example through AWS CLI, I am curious to know that.
Adding context—If logs can be “tagged” as originating from a specific ISP or CSP, that can help provide context on the use cases of the service. For example, logs from identity management services like AWS Identity and Access Management (IAM) have a specific user context, whereas events from Amazon EC2 may need additional details about workloads to provide the proper context for evaluation.
SELECT
resourceId,
resourceName,
resourceType,
relationships
WHERE
relationships.resourceId = 'vpc-#######'
What do you use, AWS SecurityHub, GuardDuty, CloudWatch, CloudTrail or EventHub.
Answer is all of these are complementary and additives services. So let’s example each of them and there primary use cases. So its best to begin with your use cases in terms of SOC operations and Threat Detection;
Investigation and Search
Governance and Reporting
Threat Detection and Alerts
AWS GuardDuty vs CloudTrail vsSecurityHub vs CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors. You need to determine where you want to do Threat Detection and hold raw logs for long term retention and investigation.
AWS GuardDuty, CloudTrail, SecurityHub and CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors. AWS (complementary and additive) native Architecturecomes into play;
Data Plane -> AWS EC2 -> Windows (SYSMON/WEC/WEF) -> ArcSight SmartConnector -> ESM/Logger
Data Plane -> AWS EC2 -> Linux (AuditD/Syslogs) -> ArcSight SmartConnector -> ESM/Logger
ArcSight SmartConnector for WiNC (Windows Native Connector) – Recommended for Production Environments
Windows Event Collection (WEC) and Windows Event Forwarding (WEF) are native Microsoft technologies that support Windows event log collection in a Windows environment.
WiNC SmartConnector is capable of collecting “Forwarded Events or Other WEC Logs from Local Or Remote Hosts”. As such, you may consider deploying a suitable Windows Event Forwarding architecture for your organization.
Directly on WEF aggregation point (WECServer)
Remotely on another Windows Server, to connector and collect forwarded events from one or many WEC Server(s).
SmartConnector for MS Windows Event Log – Native SmartConnector (WiNC)
ArcSight SmartConnector for AWS SecurityHub support for AWS (complementary and additive) native ArchitectureSo, supported data flow;
AWS Firewall Manager à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub
AWS Identity and Access Management roles -> IAM Access Analyzer à AWS CloudTrail à AWS GuardDurty à AWS SecurityHub -> ArcSight SmartConnector for AWS SecurityHub
AWS GuardDuty, CloudTrail, SecurityHub and CloudWatcth acts as an aggregation for other AWS services, which are supported by corresponding ArcSight SmartConnectors.
Threat Modelling and Applying Risk to AWS Services and Resources
You need to develop a Threat Model and apply some abuse cases, which is far beyond this blog, so lets just use ATT&CK to identify top risk and develop detection for them.
Using ATT&CK to Develop Baseline for TTP Monitoring
Attack Phase
TTP
Initial Access
Discovering valid accounts to AWS account
Persistence
Creating new accounts
Defense Evasion
Establishing presences in unused / unsupported cloud regions. Continuing to leverage valid accounts.
Credential Access
Querying an identify role with a cloud instance’s metadata API. Discovering credentials in files
Discovery
Cloud service discovery (through network visibility, interaction with other services, and so on.)
Collection
Data from cloud storage objects (items in S3 buckets, for example.)
Exfiltration
Outbound data to cloud storage account elsewhere Connectivity to unknown outbound source addresses
Using ATT&CK to Develop Baseline for TTP Monitoring
Mapping Detection/Response Controls to TTPs
Attack Phase
TTP
AWS Detection
Initial Access
Discovering valid accounts to cloud environments.
AWS CloudTrail event: Account login via AWS CLI or AWS Management Console (IAM Account.)
Persistence
Creating new accounts.
AWS CloudTrail event: New IAM account created.
Defense Evasion
Establishing a presence in unused/unsupported cloud regions.
Continuing to leverage valid accounts.
AWS CloudTrail event represented in Amazon GuardDuty or Amazon Detective: New API event in a previously unused region.
AWS CloudTrail event represented in Amazon GuardDuty or Amazon Detective: Account use in new region
Credential Access
Querying an identity role with a cloud instance’s metadata API.
Discovery credentials in files.
AWS CloudTrail event represented in Amazon GuardDuty, third- party SIEM or Amazon Detective: Metadata service queried for new services and role permissions
AWS CloudTrail event: Account login via AWS CLI or AWS Management Console.
Discovery
Cloud services discovery (through network visibility, interaction with other services, and so on.)
System information discovery. System network connection discovery.
Collection
Data from cloud storage objects (items in S3 buckets, for example.)
Data from local systems
Exfiltration
Outbound data to a cloud storage account elsewhere.
Suspicious AWS CloudTrail event that indicates a cloud user trying to deactivate an MFA device.
How to Improve Security Visibility and Detection/Response Operations in AWS
IAM activity (logins in particular)—Monitor your user activity within the cloud. In particular, monitor admins carefully, because these user credentials are prime targets for attackers. Any nonfederated user access should also be a high priority.
How to Improve Security Visibility and Detection/Response Operations in AWS
Priority 1 – Launching a workload that is not from an approved template – Launching any containers from unapproved images in a repository – Launching any assets in unapproved regions – Modifying any IAM roles or policies – Modifying or disabling cloud control plane logging or other security controls – Logins to the web console (unauthorized)
• Priority 2 – Unusual user behaviors (trying to access unauthorized resources, etc.) – Adding/updating new workload images – Adding/updating new container images – Logins to the web console (authorized) – Updating/changing serverless configuration
• Priority 3 – Changes to security groups or network access control lists (ACLs) – Updating/changing serverless function code
How to Improve Security Visibility and Detection/Response Operations in AWS
able 1. Starting Points for Event Searches
AWS CloudTrail Event
Reason for Investigation
ConsoleLogin
A user initiates console login activity.
StopLogging
A user tries to stop AWS CloudTrail.
CreateNetworkAclEntry
Someone creates a network ACL, which could expose attack surfaces or vectors.
CreateRoute
Someone creates a new route for data path control, which could expose attack surfaces or vectors.
Security group changes that tie to elastic load balancers are interesting, often in scaling operations. This may indicate unusual traffic surges in the environment.
Amazon RDS instances have a different nomenclature for security groups, but are the same thing conceptually. Security teams should monitor such instances.
Starting Points for Event Searches
How to Improve Security Visibility and Detection/Response Operations in AWS
AWS Lambda Event
Reason for Monitoring
DeleteEventSourceMapping
Someone could delete the data source that triggers an AWS Lambda function, making it “blind.”
DeleteFunction
A function could be deleted purposefully or accidentally, leading to security issues.
RemovePermission
This could lead to a lockout scenario or lack of access when needed (think IAM service account or role access to AWS Lambda).
UpdateEventSourceMapping
Data could be pulled from a different source, leading to incorrect function results.
UpdateFunctionCode
The function could be broken or tampered with to prevent security-specific functionality from executing (for example, by adding comments).
UpdateFunctionConfiguration
The configuration of the function could be changed to limit its resources, causing poor or flawed execution.
Events for Immediate Monitoring
AWS Security Best Practices Check list
Setup AWS Budget alerts
Setup Root Security challenge questions
Setup Password policy
Deactivate Regions not required
Document and monitor your access keys and deactivate and cycle
Enable root IAM and MFA
Update your Incident Response Plan and Digital Forensics Investigation to accommodate AWS
Enable Amazon VPC Flow logs for your VPCs; they are not enabled by default.
Uses AWS Nitro EC2 instance can mirror traffic from any EC2 instance (A1, C5, C5d, C5n, I3en, M5, M5a, M5ad, M5d, p3dn.24xlarge, R5, R5a, R5ad, R5d, T3, T3a, and z1d).
Ultizing default DNS services as it is intergrated with CloudTrail and GuardDuty, if you using a 3rd party for DNS, you need to make sure you can monitor that and correlate that within your SIEM.. e.g. Cisco Umercal support by ArcSight SmartConnector
Uses Amazon Machine Images (AMIs) to get started Multiple OS support Pay for what you use Next-gen Nitro infrastructure, created by AWS
Storage
Amazon Elastic Block Store (EBS), Amazon Simple Storage Service (S3), Amazon Elastic File System (EFS)
Amazon S3 offers multiple storage classes for multiple use cases. Amazon EBS is used for the “block device” or hard drive for Amazon EC2 instances. Amazon EFS is used for file sharing storage with two storage classes to choose from.
How to Improve Security Visibility and Detection/Response Operations in AWS
Initial investigation and threat hunting—Analysts need to quickly find evidence of compromise or unusual activity, and often need to do so at scale.
Opening and updating incident tickets/cases—Due to improved integration with ticketing systems, event management and monitoring tools used by response teams can often generate tickets to the right team members and update these as evidence comes in.
Producing reports and metrics—Once evidence has been collected and cases are underway or resolved, generating reports and metrics can take a lot of analysts’ time.
How to Improve Security Visibility and Detection/Response Operations in AWS
Automated DNS lookups of domain names never seen before • Automated searches for detected indicators of compromise • Automated forensic imaging of disk and memory from a suspect system, driven by alerts triggered in network- and host-based anti-malware platforms and tools • Network access controls automatically blocking outbound command and control (C2) channels from a suspected system
GetLogEvents support 10 requests per second per account per Region
· Each request has a limit of 1MB to 10000MB(10GB)
· 1MB equals around 10,000 log events, so upto 100million log events per request.
· Hence, with 10 requests per second it will capture upto 1 trillion log events per second.
GetLogEvents 10 requests per second per account per Region. This limit cannot be changed. We recommend subscriptions if you are continuously processing new data. If you need historical data, we recommend exporting your data to Amazon S3.
Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.
Enable traceability
Monitor, alert, and audit actions and changes to your environment in real time. Integrate logs and metrics with systems to automatically respond and take action.
Apply security at all layers
Rather than just focusing on protection of a single outer layer, apply a defense-in-depth approach with other security controls.
Automate security best practice
Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively. Implement controls that are defined and managed as code in version-controlled templates.
Protect data in transit and at rest
Classify your data into sensitivity levels and where appropriate, use mechanisms like encryption and access control.
Enforce the principle of least privileg
Access to data should only be granted to the people who really need that access. Start with denying access to everything and grant access as needed.
Prepare for security event
Prepare for an incident by having an incident management process that aligns to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
Auto Scaling Group Health CheckEnsure AWS Auto Scaling Group is using the appropriate health check configuration to determine the health status of its instances.
Budget OverrunCost of ‘[Limit details eg Service: Lambda]’ overruns the budget limit
Budget Overrun ForecastCost of ‘[Limit details eg Service: Lambda]’ is estimated to overrun the budget limit.
Cost FluctuationCost of ‘[Limit details eg Service: Lambda]’ in the current period has fluctuated beyond the defined percentage limit of the previous period.
Cost Fluctuation ForecastCost of ‘[Limit details eg Service: Lambda]’ in the current period is forecasted to fluctuate beyond the defined percentage limit of the previous period.
EBS General Purpose SSDEnsure EC2 instances are using General Purpose SSD (gp2) EBS volumes instead of Provisioned IOPS SSD (io1) volumes to optimize AWS EBS costs.
EBS Snapshot EncryptedEnsure Amazon EBS snapshots are encrypted to meet security and compliance requirements.
EBS Volume Naming ConventionsEnsure EBS volumes are using proper naming conventions to follow AWS tagging best practices.
Enable AWS EC2 HibernationEnsure that Hibernation feature is enabled for EBS-backed EC2 instances to retain memory state across instance stop/start cycles.
Idle EC2 InstanceIdentify idle AWS EC2 instances and stop or terminate them in order to optimize AWS costs.
Instance In Auto Scaling GroupEnsure every EC2 instance is launched inside an Auto Scaling Group (ASG) in order to follow AWS reliability and security best practices.
Publicly Shared AMIEnsure your Amazon Machine Images (AMIs) are not accessible to all AWS accounts.
AWS KMS Customer Master Keys for EFS EncryptionEnsure EFS file systems are encrypted with KMS Customer Master Keys (CMKs) in order to have full control over data encryption and decryption.
EFS Encryption EnabledEnsure encryption is enabled for AWS EFS file systems to protect your data at rest.
Classic Load BalancerEnsure HTTP/HTTPS applications are using Application Load Balancer instead of Classic Load Balancer for cost and web traffic distribution optimization.
ELB Access LogEnsure that your AWS Elastic Load Balancers use access logging to analyze traffic patterns and identify and troubleshoot security issues.
ELB Connection Draining EnabledWith Connection Draining feature enabled, if an EC2 backend instance fails health checks the Elastic Load Balancer will not send any new requests to the unhealthy instance. However, it will still allow existing (in-flight) requests to complete for the duration of the configured timeout.
ELB Cross-Zone Load Balancing EnabledEnsure high availability for your ELBs by using Cross-Zone Load Balancing with multiple subnets in different AZs.
Elasticsearch Dedicated Master EnabledEnsure Amazon Elasticsearch clusters are using dedicated master nodes to increase the production environment stability.
Elasticsearch Domain In VPCEnsure AWS Elasticsearch domains are accessible from a Virtual Private Cloud (VPC).
Elasticsearch General Purpose SSDEnsure Elasticsearch nodes are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the service costs.
Elasticsearch Instance CountsEnsure fewer AWS Elasticsearch cluster instances than provided limit in your AWS account.
Kinesis Stream Encrypted With CMKEnsure AWS Kinesis streams are encrypted with KMS Customer Master Keys for complete control over data encryption and decryption.
AWS Organizations In UseEnsure Amazon Organizations is in use to consolidate all your AWS accounts into an organization.
Enable All FeaturesEnsure AWS Organizations All Features is enabled for fine-grained control over which services and actions the member accounts of an organization can access.
RDS Encryption EnabledEnsure AWS RDS instances are encrypted to meet security and compliance requirements.
RDS Event NotificationsEnsure event notifications are enabled for your Amazon Relational Database Service (RDS) resources.
RDS Free Storage SpaceIdentify RDS instances with low free storage space and scale them in order to optimize their performance.
RDS General Purpose SSDEnsure RDS instances are using General Purpose SSD storage instead of Provisioned IOPS SSD storage to optimize the RDS service costs.
RDS Instance CountsEnsure fewer Amazon RDS instances than the established limit in your AWS account.
RDS Master UsernameEnsure AWS RDS instances are using secure and unique master usernames for their databases.
RDS Multi-AZEnsure AWS RDS clusters have the Multi-AZ feature enabled.
RDS Publicly AccessibleEnsure RDS database instances are not publicly accessible and prone to security risks.
Redshift Cluster Allow Version UpgradeEnsure Version Upgrade is enabled for Redshift clusters to automatically receive upgrades during the maintenance window.
DKIM EnabledEnsure DKIM signing is enabled in AWS SES to protect email senders and receivers against phishing.
Exposed SES IdentitiesEnsure that your AWS SES identities (domains and/or email addresses) are not exposed to everyone.
Identify Cross-Account AccessEnsure that AWS SES identities (domains and/or email addresses) do not allow unknown cross-account access via authorization policies.
AWS Well-Architected Tool in UseEnsure AWS Well-Architected Tool is in use to help you build and maintain secure, efficient, high-performing and resilient cloud application architectures.
WS Artifact provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).