Security_services
Chapter 29: AWS Security Hub & Detective
Section titled “Chapter 29: AWS Security Hub & Detective”Security Monitoring & Investigation Services
Section titled “Security Monitoring & Investigation Services”29.1 Overview
Section titled “29.1 Overview”AWS provides centralized security services for monitoring, alerting, and investigating security issues across your AWS environment.
AWS Security Monitoring Overview+------------------------------------------------------------------+| || +------------------------+ || | Security Monitoring | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Security | | Detective| | GuardDuty| || | Hub | | | | | || | | | - Invest | | - Threat | || | - Central| | igation| | Detect | || | - Aggreg | | - Graph | | - ML/AI | || | - Comply | | - Time | | - Auto | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Service Comparison
Section titled “Service Comparison”| Feature | Security Hub | Detective | GuardDuty |
|---|---|---|---|
| Primary Use | Security posture | Investigation | Threat detection |
| Data Source | Multiple services | CloudTrail, VPC Flow | Multiple sources |
| Analysis | Aggregation | Graph analysis | ML-based detection |
| Pricing | Per check | Per data ingested | Per data analyzed |
| Integration | Standards, findings | Security Hub | Security Hub |
29.2 AWS Security Hub
Section titled “29.2 AWS Security Hub”Security Hub Architecture
Section titled “Security Hub Architecture” AWS Security Hub Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Security Hub | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Findings | | Standards| | Insights | || | | | | | | || | - Aggreg | | - CIS | | - Filter | || | - Correl | | - PCI-DSS| | - Group | || | - Prior | | - Custom | | - Action | || +----------+ +----------+ +----------+ || | | | || v v v || +----------------------------------------------------------+ || | Integrated Services | || | +--------+ +--------+ +--------+ +--------+ | || | |GuardDuty| | Config | | Inspector| | Macie | | || | +--------+ +--------+ +--------+ +--------+ | || | +--------+ +--------+ +--------+ +--------+ | || | | IAM | | Firewall| | Trusted | | Audit | | || | | Access | | Manager | | Advisor | | Manager| | || | +--------+ +--------+ +--------+ +--------+ | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Security Standards
Section titled “Security Standards” Security Hub Standards+------------------------------------------------------------------+| || AWS Foundational Security Best Practices || +------------------------------------------------------------+ || | - AWS-developed security controls | || | - Covers core AWS services | || | - Updated regularly | || +------------------------------------------------------------+ || || CIS AWS Foundations Benchmark || +------------------------------------------------------------+ || | - Center for Internet Security guidelines | || | - Level 1 and Level 2 profiles | || | - Comprehensive security checks | || +------------------------------------------------------------+ || || PCI DSS Standard || +------------------------------------------------------------+ || | - Payment Card Industry Data Security Standard | || | - Required for payment processing | || | - 12 requirement categories | || +------------------------------------------------------------+ || || NIST SP 800-53 Rev. 5 || +------------------------------------------------------------+ || | - National Institute of Standards and Technology | || | - Federal information systems | || | - Comprehensive controls | || +------------------------------------------------------------+ || || ISO/IEC 27001 || +------------------------------------------------------------+ || | - International security standard | || | - Information security management | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Security Findings
Section titled “Security Findings” Security Hub Findings+------------------------------------------------------------------+| || Finding Structure || +------------------------------------------------------------+ || | { | || | "SchemaVersion": "2018-10-08", | || | "Id": "arn:aws:securityhub:...", | || | "ProductArn": "arn:aws:securityhub:...", | || | "ProductName": "GuardDuty", | || | "CompanyName": "Amazon", | || | "Description": "Unauthorized access attempt", | || | "Title": "UnauthorizedAccess:IAMUser/...", | || | "Severity": { | || | "Label": "HIGH", | || | "Normalized": 70 | || | }, | || | "Resources": [...], | || | "Remediation": {...}, | || | "Compliance": {...} | || | } | || +------------------------------------------------------------+ || || Severity Levels || +------------------------------------------------------------+ || | CRITICAL (90) - Immediate action required | || | HIGH (70) - Significant risk | || | MEDIUM (40) - Moderate risk | || | LOW (10) - Low risk | || | INFORMATIONAL (0) - Informational only | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Security Insights
Section titled “Security Insights” Security Hub Insights+------------------------------------------------------------------+| || Pre-built Insights || +------------------------------------------------------------+ || | | || | - Findings with high severity | || | - Findings from GuardDuty | || | - Findings from IAM Access Analyzer | || | - Findings from Amazon Inspector | || | - Findings from AWS Firewall Manager | || | - Findings with failed compliance status | || | | || +------------------------------------------------------------+ || || Custom Insights || +------------------------------------------------------------+ || | | || | Group by: | || | +------------------------------------------------------+ | || | | - Resource type | | || | | - AWS account | | || | | - Severity | | || | | - Compliance status | | || | | - Product name (source service) | | || | | - Region | | || | +------------------------------------------------------+ | || | | || | Filter by: | || | +------------------------------------------------------+ | || | | - Title contains | | || | | - Description contains | | || | | - Created at date range | | || | | - Updated at date range | | || | | - Workflow status | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Security Hub CLI Commands
Section titled “Security Hub CLI Commands”# Enable Security Hubaws securityhub enable-security-hub \ --enable-default-standards
# Get enabled standardsaws securityhub get-enabled-standards
# Get security controlsaws securityhub describe-security-controls
# List findingsaws securityhub get-findings \ --filters '{"SeverityLabel":[{"Value":"HIGH","Comparison":"EQUALS"}]}'
# Update finding statusaws securityhub batch-update-findings \ --finding-identifiers '{"Id":"arn:aws:securityhub:...","ProductArn":"arn:aws:securityhub:..."}' \ --note '{"Text":"Investigated and resolved","UpdatedBy":"security-team"}' \ --workflow '{"Status":"RESOLVED"}'
# Create insightaws securityhub create-insight \ --name "High Severity Findings" \ --filters '{"SeverityLabel":[{"Value":"HIGH","Comparison":"EQUALS"}]}' \ --group-by-attribute "ResourceId"
# Enable security standardaws securityhub batch-enable-standards \ --standards-subscription-requests '[{"StandardsArn":"arn:aws:securityhub:..."}]'
# Disable security standardaws securityhub batch-disable-standards \ --standards-subscription-arns '["arn:aws:securityhub:..."]'29.3 Amazon Detective
Section titled “29.3 Amazon Detective”Detective Overview
Section titled “Detective Overview” Amazon Detective Architecture+------------------------------------------------------------------+| || +------------------------+ || | Amazon Detective | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Data | | Behavior | | Invest | || | Sources | | Graph | | igation | || | | | | | | || | - Cloud | | - Entity | | - Search | || | Trail | | Relat | | - Visual | || | - VPC | | - Time | | - Scope | || | Flow | | Line | | | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Detective Data Sources
Section titled “Detective Data Sources” Detective Data Sources+------------------------------------------------------------------+| || AWS CloudTrail || +------------------------------------------------------------+ || | - API call history | || | - User and role activity | || | - Resource changes | || | - Management events | || +------------------------------------------------------------+ || || VPC Flow Logs || +------------------------------------------------------------+ || | - Network traffic patterns | || | - Connection details | || | - Source/destination IPs | || | - Port and protocol information | || +------------------------------------------------------------+ || || Security Hub Findings || +------------------------------------------------------------+ || | - GuardDuty findings | || | - Security Hub findings | || | - Correlated with other data | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Investigation Features
Section titled “Investigation Features” Detective Investigation Features+------------------------------------------------------------------+| || Entity Behavior Graph || +------------------------------------------------------------+ || | | || | +--------+ +--------+ +--------+ | || | | IAM | --> | EC2 | --> | S3 | | || | | User | | Instance| | Bucket | | || | +--------+ +--------+ +--------+ | || | | | | | || | v v v | || | +--------+ +--------+ +--------+ | || | | Role | | Security| | Object | | || | | | | Group | | | | || | +--------+ +--------+ +--------+ | || | | || | Shows relationships and interactions between entities | || | | || +------------------------------------------------------------+ || || Timeline Analysis || +------------------------------------------------------------+ || | | || | Time: 00:00 04:00 08:00 12:00 16:00 20:00 24:00 | || | | | | | | | | | || | v v v v v v v | || | Events: ======******=======******======******====== | || | ^ ^ ^ | || | | | | | || | Login API Call Finding | || | | || +------------------------------------------------------------+ || || Finding Investigation || +------------------------------------------------------------+ || | | || | 1. Start with Security Hub finding | || | 2. View affected entities | || | 3. Explore entity relationships | || | 4. Analyze timeline of events | || | 5. Identify root cause | || | 6. Document findings | || | | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Detective CLI Commands
Section titled “Detective CLI Commands”# Create behavior graphaws detective create-graph
# Create member accountaws detective create-members \ --graph-arn "arn:aws:detective:..." \ --accounts '[{"AccountId":"123456789012","EmailAddress":"admin@example.com"}]'
# List membersaws detective list-members \ --graph-arn "arn:aws:detective:..."
# Get investigation resultsaws detective get-investigation \ --graph-arn "arn:aws:detective:..." \ --investigation-id "investigation-123"
# List investigationsaws detective list-investigations \ --graph-arn "arn:aws:detective:..."
# Start investigationaws detective start-investigation \ --graph-arn "arn:aws:detective:..." \ --entity-arn "arn:aws:iam::..."
# Delete graphaws detective delete-graph \ --graph-arn "arn:aws:detective:..."29.4 Amazon GuardDuty
Section titled “29.4 Amazon GuardDuty”GuardDuty Overview
Section titled “GuardDuty Overview” Amazon GuardDuty Architecture+------------------------------------------------------------------+| || +------------------------+ || | Amazon GuardDuty | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Data | | Threat | | Finding | || | Sources | | Detection| | Types | || | | | | | | || | - Cloud | | - ML/AI | | - Recon | || | Trail | | - Anomaly| | - Comp | || | - VPC | | - Sign | | - Access | || | Flow | | atures | | - Crypto | || | - DNS | | | | | || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+GuardDuty Finding Types
Section titled “GuardDuty Finding Types” GuardDuty Finding Types+------------------------------------------------------------------+| || Reconnaissance Findings || +------------------------------------------------------------+ || | - Port probe detection | || | - DNS exfiltration | || | - API call anomalies | || | - Network enumeration | || +------------------------------------------------------------+ || || Instance Compromise Findings || +------------------------------------------------------------+ || | - EC2 instance credential theft | || | - Cryptocurrency mining | || | - Backdoor access | || | - Malware/C2 communication | || | - Data exfiltration | || +------------------------------------------------------------+ || || Account Compromise Findings || +------------------------------------------------------------+ || | - Unauthorized access | || | - IAM anomaly | || | - Root account usage | || | - MFA disable | || | - Unusual API activity | || +------------------------------------------------------------+ || || Container Security Findings || +------------------------------------------------------------+ || | - EKS cluster anomalies | || | - Container runtime security | || | - Privilege escalation | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+GuardDuty Protection Plans
Section titled “GuardDuty Protection Plans” GuardDuty Protection Plans+------------------------------------------------------------------+| || S3 Protection || +------------------------------------------------------------+ || | - Monitor S3 API operations | || | - Detect data exfiltration attempts | || | - Identify unusual access patterns | || +------------------------------------------------------------+ || || EKS Protection || +------------------------------------------------------------+ || | - Monitor Kubernetes audit logs | || | - Detect suspicious pod activity | || | - Identify privilege escalation | || +------------------------------------------------------------+ || || Malware Protection || +------------------------------------------------------------+ || | - Scan EC2 instances for malware | || | - Scan EBS volumes | || | - Automated scanning on findings | || +------------------------------------------------------------+ || || RDS Protection || +------------------------------------------------------------+ || | - Monitor RDS login activity | || | - Detect brute force attempts | || | - Identify unusual access patterns | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+GuardDuty CLI Commands
Section titled “GuardDuty CLI Commands”# Create detectoraws guardduty create-detector \ --enable \ --finding-publishing-frequency SIX_HOURS
# Create member accountsaws guardduty create-members \ --detector-id "abc123" \ --account-details '[{"AccountId":"123456789012","Email":"admin@example.com"}]'
# List detectorsaws guardduty list-detectors
# Get detectoraws guardduty get-detector \ --detector-id "abc123"
# List findingsaws guardduty list-findings \ --detector-id "abc123"
# Get findingsaws guardduty get-findings \ --detector-id "abc123" \ --finding-ids '["finding-1","finding-2"]'
# Archive findingsaws guardduty archive-findings \ --detector-id "abc123" \ --finding-ids '["finding-1"]'
# Create filteraws guardduty create-filter \ --detector-id "abc123" \ --name "HighSeverityFilter" \ --finding-criteria '{"Criterion":{"severity":{"Eq":["8","9"]}}}'
# Enable protection plansaws guardduty update-detector \ --detector-id "abc123" \ --features '[{"Name":"S3_DATA_EVENTS","Status":"ENABLED"}]'29.5 Integration Architecture
Section titled “29.5 Integration Architecture”Security Hub as Central Hub
Section titled “Security Hub as Central Hub” Security Hub Integration Architecture+------------------------------------------------------------------+| || +------------------------+ || | AWS Security Hub | || | (Central Hub) | || +------------------------+ || | || +---------------------+---------------------+ || | | | | || v v v v || +----------+ +----------+ +----------+ +----------+ || | GuardDuty| | Inspector| | Macie | | Config | || +----------+ +----------+ +----------+ +----------+ || | | | | || +------------+------------+------------+ || | || v || +------------------------+ || | Amazon Detective | || | (Investigation) | || +------------------------+ || | || v || +------------------------+ || | Response Actions | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | EventBridge| | SNS | | Lambda | || | (Routing) | | (Notify) | | (Remediate)| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+Automated Response Workflow
Section titled “Automated Response Workflow” Automated Security Response+------------------------------------------------------------------+| || 1. Finding Generated || +------------------------------------------------------------+ || | GuardDuty/Inspector/Macie --> Security Hub Finding | || +------------------------------------------------------------+ || | || v || 2. EventBridge Rule Match || +------------------------------------------------------------+ || | Event pattern matches finding criteria | || +------------------------------------------------------------+ || | || v || 3. Action Triggered || +------------------------------------------------------------+ || | | || | Options: | || | +------------------------------------------------------+ | || | | - SNS notification | | || | | - Lambda function (remediation) | | || | | - Systems Manager Automation | | || | | - Step Functions workflow | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || | || v || 4. Remediation Executed || +------------------------------------------------------------+ || | | || | Examples: | || | +------------------------------------------------------+ | || | | - Block compromised IAM user | | || | | - Isolate EC2 instance | | || | | - Revoke compromised credentials | | || | | - Update security group rules | | || | +------------------------------------------------------+ | || | | || +------------------------------------------------------------+ || | || v || 5. Finding Updated || +------------------------------------------------------------+ || | Update finding status in Security Hub | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+29.6 Security Best Practices
Section titled “29.6 Security Best Practices”Security Hub Best Practices
Section titled “Security Hub Best Practices” Security Hub Best Practices+------------------------------------------------------------------+| || 1. Enable multiple security standards || +------------------------------------------------------------+ || | - CIS AWS Foundations Benchmark | || | - AWS Foundational Security Best Practices | || | - Industry-specific standards (PCI, NIST) | || +------------------------------------------------------------+ || || 2. Configure automated remediation || +------------------------------------------------------------+ || | - Use EventBridge for finding routing | || | - Implement Lambda for automated response | || | - Use Systems Manager Automation | || +------------------------------------------------------------+ || || 3. Create custom insights || +------------------------------------------------------------+ || | - Group findings by business impact | || | - Filter by critical resources | || | - Track remediation progress | || +------------------------------------------------------------+ || || 4. Integrate with incident response || +------------------------------------------------------------+ || | - Connect to ticketing systems | || | - Enable notifications for critical findings | || | - Document investigation procedures | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+GuardDuty Best Practices
Section titled “GuardDuty Best Practices” GuardDuty Best Practices+------------------------------------------------------------------+| || 1. Enable all protection plans || +------------------------------------------------------------+ || | - S3 Protection | || | - EKS Protection | || | - Malware Protection | || | - RDS Protection | || +------------------------------------------------------------+ || || 2. Configure trusted IP lists || +------------------------------------------------------------+ || | - Add known safe IP addresses | || | - Reduce false positives | || +------------------------------------------------------------+ || || 3. Set up automated responses || +------------------------------------------------------------+ || | - Integrate with Security Hub | || | - Use EventBridge for automation | || +------------------------------------------------------------+ || || 4. Monitor and tune findings || +------------------------------------------------------------+ || | - Review findings regularly | || | - Archive false positives | || | - Adjust severity thresholds | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+29.7 Troubleshooting
Section titled “29.7 Troubleshooting”Common Issues
Section titled “Common Issues” Common Security Hub Issues+------------------------------------------------------------------+| || Issue 1: Findings not appearing in Security Hub || +------------------------------------------------------------+ || | Cause: Service not enabled or integrated | || | Solution: Enable service and configure product integration | || +------------------------------------------------------------+ || || Issue 2: High number of findings overwhelming || +------------------------------------------------------------+ || | Cause: Too many enabled standards or controls | || | Solution: Disable irrelevant controls, create filters | || +------------------------------------------------------------+ || || Issue 3: Cross-account findings not visible || +------------------------------------------------------------+ || | Cause: Member accounts not configured | || | Solution: Configure Security Hub member accounts | || +------------------------------------------------------------+ || || Issue 4: Detective graph not showing data || +------------------------------------------------------------+ || | Cause: Insufficient data ingestion period | || | Solution: Wait for data collection (48+ hours) | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+29.8 Exam Tips
Section titled “29.8 Exam Tips”
Key Exam Points+------------------------------------------------------------------+| || 1. Security Hub is the central aggregation point for findings || || 2. Security Hub supports CIS, PCI-DSS, NIST, ISO 27001 || || 3. Detective uses graph analysis for investigation || || 4. GuardDuty uses ML/AI for threat detection || || 5. GuardDuty data sources: CloudTrail, VPC Flow Logs, DNS || || 6. GuardDuty findings are sent to Security Hub || || 7. Detective requires 48+ hours of data for analysis || || 8. Security Hub findings have severity levels (CRITICAL to LOW) || || 9. Use EventBridge for automated response to findings || || 10. GuardDuty protection plans: S3, EKS, Malware, RDS || |+------------------------------------------------------------------+29.9 Summary
Section titled “29.9 Summary” Chapter 29 Summary+------------------------------------------------------------------+| || AWS Security Hub || +------------------------------------------------------------+ || | - Central security findings aggregation | || | - Security standards compliance | || | - Custom insights and filtering | || | - Cross-account visibility | || +------------------------------------------------------------+ || || Amazon Detective || +------------------------------------------------------------+ || | - Security investigation and analysis | || | - Entity behavior graph | || | - Timeline analysis | || | - Integration with Security Hub | || +------------------------------------------------------------+ || || Amazon GuardDuty || +------------------------------------------------------------+ || | - Continuous threat detection | || | - ML/AI-based anomaly detection | || | - Multiple protection plans | || | - Automated findings to Security Hub | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Previous Chapter: Chapter 28: AWS WAF, Shield & Firewall Next Chapter: Chapter 30: Compliance, Auditing & Governance