In the process of creating your infrastructure and granting user access to your account, you need to be on the lookout for the security of your environment. There’s a good possibility that your environment will be changing constantly. This means that the security status of your environment could change as well, potentially leading to new vulnerabilities.
One of the challenges of being a security professional is trying to stay on top of all these different changes. Simply being in charge of one account that is full of users is challenging on its own. In an enterprise-type environment in which you are responsible for a whole AWS organization, comprised of numerous accounts under different organizational units, it can be almost impossible to keep track of changes without help.
The AWS Security Hub tool was designed with the aforementioned problems in mind. It allows you to track multiple accounts from inside an account in the Security OU if launched in a Control Tower setup. It also has the flexibility to work for smaller accounts and organizations that still only work within the confines of a single account. Security Hub is complemented by the GuardDuty service. This is one of the native AWS tools that can report the threats it detects back to Security Hub.
After completing this chapter, you will have learned the following major aspects related to AWS Security Hub and GuardDuty:
You will require access to the AWS Management Console with an active account and AWS CLI access for this chapter. You will also need minimal Git skills to clone a repository with example code. Finally, knowing how to find your IP address will help in one of the exercises.
For those unfamiliar with Amazon GuardDuty, it is a fully managed, intelligent threat-detection service, powered by machine learning, that continually provides insights into unusual and/or unexpected behavioral patterns within your account that could be considered malicious. Amazon GuardDuty can process and analyze millions of events captured through your AWS CloudTrail, DNS, and VPC Flow Logs from a single account or multiple accounts. These events are then referenced against numerous threat detection feeds, many of which contain known sources of malicious activity, including specific URLs and IP addresses.
Amazon GuardDuty is continually learning, based on the day-to-day operations within your account, to differentiate between normal behavior and what could be considered abnormal behavior, allowing it to effectively indicate a threat within your infrastructure. This behavioral-based analysis allows GuardDuty to detect potential interactions and connectivity with unknown or unusual sources.
Being an always-on service, GuardDuty provides a very effective method of automatically identifying security issues without impacting performance. The service runs entirely on the AWS infrastructure without needing local agents. Any findings by Amazon GuardDuty are presented to you in the form of a list of priorities based on the results.
There are no upfront costs to enable GuardDuty. It can intelligently detect security threats without hindering the performance of your infrastructure, regardless of size, and provide centralized management by aggregating data from multiple AWS accounts. These factors make GuardDuty a very effective tool to protect your AWS resources and any stored data.
GuardDuty installs in your account in a one-click manner. This means there are no extra applications to install or agents to deploy on the network. It simply starts monitoring your environment once you enable the service.