--- # System prepended metadata title: 7. Threat Detection and Incident Response on AWS tags: [AWS, Training, Seucurity for Migration] --- # Threat Detection and Incident Response on AWS ## AWS Security Services Overview Grouped Services: - Identity & Access: IAM, Organizations, Identity Center, Secrets Manager, IAM Access Analyzer, Verified Access, Verified Permissions - Detection: GuardDuty, Inspector, Macie, Security Hub, Security Lake - Infrastructure Security: VPC, Network Firewall, Shield, WAF, Firewall Manager - Incident Response: Detective, Elastic Disaster Recovery, SSM Automations, AWS Backup - Data Protection: KMS, Macie, CloudHSM, S3 Block Public Access - Compliance: AWS Artifact, Audit Manager --- ## Detection and Response Suite - Amazon GuardDuty: Threat detection, anomaly detection - Amazon Inspector: Automated vulnerability management - Amazon Macie: Sensitive data discovery - AWS Security Hub: CSPM + aggregation across services and 3rd party - Amazon Detective: Investigation tool with graph-based visualization - AWS Security Lake: Centralized security data lake - AWS Security Incident Response: Coordination & automation of IR process --- ## AWS Security Hub Core features: - Continuous checks against AWS Foundational Security Best Practices (FSBP), CIS, NIST, PCI DSS - Aggregates findings across accounts & regions - Integrates with 3rd-party tools - Automates remediation actions via Lambda, SSM, Step Functions Benefits: - Unified security posture view - Reduces compliance backlog - Normalizes alert formats - Improves prioritization of alerts --- ## Multi Account Strategy Best practice: 1. Setup AWS Organizations 2. Designate Security Tooling Account 3. Enable AWS Config & Security Hub Org-wide 4. Delegate Security Hub admin role 5. Enable auto-member + auto-region aggregation 6. Use StackSets for consistent deployment 7. Regular review & update aggregation regions --- ## Amazon GuardDuty Capabilities: - Threat detection using ML and threat intel - Unified findings across multiple AWS services - Simple activation Org-wide - Foundational data: VPC Flow Logs, DNS, CloudTrail, EKS, S3, Lambda Use cases: - Detect suspicious activity in Gen AI workloads - Accelerate investigation & remediation - Ransomware and malware detection - Container threat detection - PCI DSS compliance support Protection scope: - S3 Protection - Aurora/RDS Login Monitoring - EKS Audit Logs - Lambda Network Monitoring - EC2 Runtime + Malware Protection --- ## Amazon Macie Purpose: - ML-based sensitive data discovery for S3 - Automated continuous scanning Benefits: - Visibility into sensitive data risks - Actionable reporting - Automated classification - Cost-effective visibility at scale --- ## Amazon Inspector Purpose: - Automated vulnerability management Target: - EC2 (agent-based / agentless) - ECR containers (CI/CD pipeline) - AWS Lambda functions Benefits: - Contextual Risk Scoring - Prioritized actionable findings - Continuous coverage - Central SBOM export management - CI/CD integration - Automation-ready --- ## Amazon Detective Purpose: - Graph-based security investigation - Data sources: CloudTrail, VPC, EKS, GuardDuty, Inspector, Macie, IAM Analyzer Benefits: - Unified investigation view - Visualizes entity relationships - Saves time during triage and RCA - Streamlined cross-service investigation --- ## Amazon Security Lake Purpose: - Centralized, normalized security data lake - Automates collection across AWS + SaaS + on-prem Benefits: - OCSF standardized format - Simplifies data pipelines - Enables enterprise-wide visibility - Integrates with analytics tools (Athena, QuickSight, SIEMs) --- ## AWS Security Incident Response Purpose: - Prepare, coordinate, and automate Incident Response Workflow: 1. Configure IR membership in AWS Organizations 2. Define team, permissions, containment options 3. Centralized case management 4. 24/7 escalation to AWS experts 5. Post-incident reporting and analysis Benefits: - Faster recovery - Automated containment - Streamlined investigation - Integrates with AWS threat intelligence and audit logs ---