Detecting security events in AWS

Myles Hosford
Principal Security Architect, AWS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Why are detective security controls important?

Misconfiguration versus cyber threats

AWS services for detective controls

Demo 1: AWS Config

Demo 2: Amazon GuardDuty

Next steps

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What detective controls do you need?
Your obligations Implemented controls

Your
internal policy

Preventive controls

AWS Well-Architected Common control Directive: Cloud security

security pillar objectives policy
Detective controls

Industry standards
(NIST CSF)
Responsive controls

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Types of security events to detect

Misconfiguration Cyber threats

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS security solutions

Identity and access Detective Infrastructure Data Incident

management controls protection protection response
AWS Security Hub AWS Config rules

Amazon GuardDuty AWS Shield

AWS Config AWS WAF – Web

application firewall
AWS CloudTrail

Amazon CloudWatch
Amazon Inspector
VPC flow logs

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Individual AWS services Production business application
AWS Cloud
AWS Region
Amazon VPC

Availability Zone 1 Availability Zone 2

Auto Scaling
Web servers group
Web servers

AWS CloudTrail

Master DB Standby DB

Developers want to use a growing set of

AWS services to deploy workloads that
execute business plans.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Individual AWS services Production business application
AWS Cloud
AWS Region
Amazon VPC

Availability Zone 1 Availability Zone 2

Auto Scaling
Web servers group
Web servers

AWS CloudTrail

Master DB Standby DB

Security, Risk, and Compliance teams want

to support the business outcomes in line
with the organization’s risk appetite.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS CloudTrail
Individual AWS services Production business application
AWS Cloud
AWS Region
Amazon VPC

Availability Zone 1 Availability Zone 2

Auto Scaling
Web servers group
Web servers

AWS CloudTrail

Master DB Standby DB

Security, Risk, and Compliance teams want

to support the business outcomes in line
with the organization’s risk appetite.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Searching for security events

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Searching for security events

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Centralized storage of AWS CloudTrail logs
AWS Account 1 AWS Account 3

AWS CloudTrail AWS CloudTrail

AWS Security Account

AWS Account 2 AWS Account 4

Security
S3 Bucket Amazon CloudWatch

AWS CloudTrail AWS CloudTrail

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current approach to detecting misconfigurations

Sampling approach Point-in-time Spreadsheet/ Inaccurate evidence

assessments Checklist driven collection

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Current approach to detecting misconfigurations

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Continuous compliance on AWS

Unprecedented visibility Near real-time automation Continuous compliance

Having the visibility into who made what change from where in near real time allows financial
institutions to detect misconfigurations and noncompliance and respond quickly to prevent
risks from materializing.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Config rules

Automatic email to
security teams when
controls fail in real time

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon GuardDuty
Production business application
AWS Cloud
AWS Region
VPC
GRC tools & tickets
Availability Zone 1 Availability Zone 2

Reconnaissance

Auto Scaling
Web servers group
Web servers

Instance compromise Amazon

GuardDuty
Master DB Standby DB

Account compromise
Real-time alerts
(Email, SMS) © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next steps
 Enable AWS detective security controls today.
 AWS CloudTrail, AWS Config, Amazon GuardDuty

 Enable detective controls that map to your organization’s cloud/IT

security policy to detect compliance in real time (AWS Config rules).

 Configure alerts to be sent via the most appropriate channel to get to

your InfoSec team as fast as possible. Integrate to existing workflow
management tools.
 JIRA, Slack, email, SMS, API

 Automate the response to security events to scale your InfoSec team!

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Learn from AWS experts. Advance your skills and
knowledge. Build your future in the AWS Cloud.

Digital Training Classroom Training AWS Certification

Free, self-paced online Classes taught by accredited Exams to validate expertise
courses built by AWS AWS instructors with an industry-recognized
experts credential
Ready to begin building your cloud skills?
Get started at: https://www.aws.training/

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why work with an APN Partner?
APN Partners are uniquely APN Partners with deep expertise in
positioned to help your organization AWS services:
at any stage of your cloud adoption AWS Managed Service Provider (MSP)
journey, and they: Partners
• Share your goals—focused on your APN Partners with cloud infrastructure and
success application migration expertise

• Help you take full advantage of all the AWS Competency Partners
business benefits that AWS has to offer APN Partners with verified, vetted, and validated
specialized offerings
• Provide services and solutions to
support any AWS use case across your AWS Service Delivery Partners
full customer life cycle APN Partners with a track record of delivering
specific AWS services to customers

Find the right APN Partner for your needs: https://aws.amazon.com/partners/find/

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
 Thank you for attending AWS Innovate
We hope you found it interesting! A kind reminder to complete the survey.
Let us know what you thought of today’s event and how we can improve the event
experience for you in the future.

aws-apac-marketing@amazon.com
twitter.com/AWSCloud
facebook.com/AmazonWebServices
youtube.com/user/AmazonWebServices
slideshare.net/AmazonWebServices
twitch.tv/aws

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.