AWS User Group Pune October 2023 Meetup

Transcript

1. Fortifying Security in AWS Cloud Sankalp Sandeep Paranjpe AWS Cloud

   Clubs Pune Captain

2. WHOAMI ⚬ AWS Cloud Clubs Pune Captain ⚬ Final Year

   B.Tech Student at MIT ADT University, Pune ⚬ Cloud and Cybersecurity Enthusiast ⚬ 2x AWS Certified Sankalp Sandeep Paranjpe

3. AGENDA ⚬ Security basics ⚬ Shared Responsibility Model in AWS

   ⚬ Amazon GuardDuty and Inspector ⚬ Incident Response ⚬ Best Practices

4. ⚬Cybersecurity is the practice of deploying people, processes, and technologies

   to protect organizations, their critical systems, and sensitive information from cyber- attacks. ⚬These cyber-attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. ⚬Two teams in Cybersecurity: the Red Team and the Blue Team. Cybersecurity

5. Common terminologies Vulnerability A vulnerability is a weakness in hardware

   or a software that can be exploited. Threat A threat is anything that could exploit a vulnerability Risk Risk is the probability of a negative event occurring Sensative info Usernames, passwords, secret keys, secrets, config files, Service Entities IT Infrastucture Services provided by Cloud Service provider. Attacker, Victim, Organization, Service Provider Servers, Storage and Networking Capabilities Event, Incident, Security Incident Potential events which breaks CIA Triad

6. The Shared Responsibility Model in AWS

7. The Shared Responsibility Model in AWS

8. Amazon GuardDuty

9. DNS logs VPC flow logs Amazon S3 data plane events

   Amazon EKS control plane logs Threat detection types Threat intelligence Anomaly detection (ML) Finding type examples Bitcoin mining Unusual user behavior Unusual traffic patterns Findings AWS Security Hub volume Examples •Launch instance •Change network permissions • • • • Alert Remediate AWS Partner solutions Send to SIEM GuardDuty Data sources Amazon Detective Amazon CloudWatch events AWS CloudTrail events C & C activity Example: Unusual ports and LO W HIG H MEDIU M

10. Features of Amazon GuardDuty • GuardDuty EKS Protection • GuardDuty

    Malware Protection • GuardDuty RDS Protection • GuardDuty S3 Protection • GuardDuty Lambda Protection

11. Features of Amazon GuardDuty • Account Level Threat Detection •

    Easy Usage • Continuous Monitoring • Multi-account and Multi-region support • No additional software is required • Integrates with other AWS Services • Incident Response

12. Botnet /C&C Server AAmazon EC2 Instance Backdoor: EC2/C&CActivity • High

    Severity • Your EC2 instances interacting with botnet command and control server • Bots are agents launching DDOS Attacks • This means your instance is compromised.

13. Remote Host AAmazon EC2 Instance Behavior:EC2/TrafficVolumeUnusual • Medium Severity •

    EC2 instance generating unusually large amount of traffic to a remote host • No prior history of sending this much traffic to this remote host

14. Bitcoin Server AAmazon EC2 Instance CryptoCurrency:EC2/BitcoinTool • High Severity •

    Your EC2 instance is interacting with an IP associated with crypto activity. • Hackers use compromised resources for bitcoin mining requires investigation. • If it is a valid use case, you can set up a suppression rule for it.

15. • High Severity • An attacker tries to disrupt operations

    and manipulate, interrupt, or destroy data in the victim's account. • Example: Deleting security groups etc. AWS Environment Impact:IAMUser/AnomalousBehavior

16. Amazon GuardDuty - Console Demo

17. Amazon Inspector

18. Features of Amazon Inspector • Integrates with other AWS Services

    to automate security workflow • Automated vulnerability assessment • Real-time Feedback • Customizations • Vulnerability Database Research • Suppression Rules

19. Hands-on Demo Scanning container images on Amazon ECR with Amazon

    Inspector

20. Manager Compute AWS Personal Health Dashboard AWS Config Manager Macie

    Amazon Inspector Storage Database Containers Plus many more partners . . . Findings from AWS service categories Networking & Management Security, identity content delivery& governance & compliance Amazon GuardDuty Partner findings Detective Findings Audit prep Amazon AWS Audit findings with AWS services and AWS Partner solutions AWS Systems AWS Firewall Amazon IAM Amazon Investigations AWS Security Hub Manage r EventBridge Take action and remediate Security flows with Security Hub

21. • Incident response refers to an organization’s processes and technologies

    for detecting and responding to – ￭ cyber threats, ￭ security breaches ￭ cyberattacks. • The goal of Incident Response: To prevent cyberattacks Incident Response
22. None

23. Preparation Threat Detection and Analysis Investigation and correlation of the

    findings Respond and remediate Amazon Inspector–CVE scans and OS-level configurations Amazon Macie–data classification AWS Security Hub – resource and account- level configurations Amazon GuardDuty– automated intelligent threat detection Amazon Detective – security investigations AWS Security Hub – alert aggregation AWS Security Hub – Automated response and remediation runbooks

24. Storage Compute Containers Security, identity & complianc e AWS Cloud

    AWS services Amazon GuardDuty Amazon Detective AWS Security Hub Amazon EventBridge Amazon SNS Remediation AWS Lambda Notifications Live email notifications Responding to an Incident

25. AWS Incident Response: Flow of events

26. Correlating the findings of SecurityHub and EventBridge

27. Forensic Disk Collection in AWS

28. Disk forensics acquisition workflow

29. • Least privilege principle • Backup a lot and test

    your recovery resources before you need them • Understand the AWS Shared Responsibility Model • Do not use root account credentials for day-to-day interactions with AWS! • Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM) • Audit IAM users and their policies frequently • Monitor your account and its resources • Enable logging and Monitoring Best Practices

30. Credits • AWS Official Website • AWS Whitepapers • AWS

    Official Documentations • AWS Presentations • AWS Blogs

31. Thank you! Let's Connect: https://www.linkedin.com/in/sankalp-s-paranjpe/ https://twitter.com/SankalpParanjpe