top of page

AWS Security Incident Response Guide: A Dive into CloudWatch, GuardDuty, and Amazon Detective

AWS’s very own Security Incident Response Guide.

 While I’ll cover some of the main highlights here, it’s worth taking a full look yourself—they’ve balanced the technical depth with an easy-to-follow structure. You can check out the guide.


-------------------------------------------------------------------------------------------------------------------------

AWS Shared Responsibility Model


One of the first things to understand when working with AWS security is their Shared Responsibility Model. It's simple: AWS handles the security of the cloud infrastructure, and you’re responsible for securing what you put in the cloud.

Here's the breakdown:


  • If you’re running a VPC with EC2 instances, you need to handle things like patching the OS, securing access, and configuring networks.

  • On the flip side, if you’re using something like an AWS Lightsail MySQL database, AWS takes care of the underlying infrastructure, while you manage the database's credentials and access settings.


In short, AWS makes sure the cloud itself is secure, but it’s up to you to secure your data and apps. You can read more on this.


-------------------------------------------------------------------------------------------------------------------------

AWS Incident Domains


According to the AWS Security Incident Response Guide, there are three main domains to watch out for when responding to security incidents:


  • Service Domain: This involves issues with the AWS account itself—usually caused by compromised credentials. Attackers might use these to access your environment, view your data, or change configurations.


  • Infrastructure Domain: Think of this as network-level incidents, often due to a vulnerable or misconfigured app exposed to the internet. These incidents could involve an attacker gaining a foothold in your VPC, and even trying to spread within your cloud or back into your on-premises environment.


  • Application Domain: This is when attackers target your hosted apps, often exploiting vulnerabilities like SQL injection to get unauthorized access to sensitive data.


More on incident domains can be found


-------------------------------------------------------------------------------------------------------------------------

AWS Detection and Response Tools

In case of an incident, AWS has a range of tools to help you investigate and respond.


  • CloudTrail: Logs API activity in your account, tracking user actions, configurations, and more. It’s a key service for understanding what’s happening in your environment.

  • CloudWatch: Monitors resources and applications, and you can set up alerts for suspicious activity.

  • GuardDuty: AWS’s security threat detection service that specifically looks for compromised accounts or unusual activity in your environment.

  • Macie: Focuses on sensitive data like PII and can alert you when data exposure risks arise, especially in S3 buckets.

-------------------------------------------------------------------------------------------------------------------------


AWS Log Analysis: CloudTrail Overview


CloudTrail is a key player in monitoring your AWS environment. It logs all the actions taken in your AWS account at the API level, meaning everything from logins to configuration changes. The logs are stored for 90 days by default, but you can easily archive them in an S3 bucket for longer retention. You can search the logs using the CloudTrail console or services like Athena and AWS Detective.


By default, CloudTrail is almost real-time, with events typically logged within 15 minutes. It’s free for 90 days, but longer-term storage will require setting up a custom trail to an S3 bucket.


More info can be found.


-------------------------------------------------------------------------------------------------------------------------


CloudTrail Log Format

CloudTrail logs are stored in JSON format, making them easy to read and analyze. The logs contain useful fields, such as:


  • API caller information (who did what),

  • Time of the API call,

  • Source IP (where the request came from),

  • Request parameters and response elements, which can contain nested data for more detailed information.


Since AWS supports over 200 services, most of them can log actions into CloudTrail. For more details, check the supported services.


To under JSON Format log in easy way use below tools:


-------------------------------------------------------------------------------------------------------------------------


Anomaly Detection in AWS

AWS offers several tools to detect unusual or malicious activity in your environment:


  • CloudTrail Insights: Uses machine learning to spot strange patterns in your AWS usage, like sudden spikes in resource use or odd IAM actions. It’s not enabled by default, so you’ll need to set it up for each trail. However, there’s an extra cost for this feature (about $0.35 per 100,000 events).

  • GuardDuty: Focuses on security issues and provides real-time threat detection across your AWS environment.

  • Macie: Great for identifying sensitive data (like PII) and ensuring your S3 buckets are properly configured to protect that data.


For more on how these services work, see the full guide.


-------------------------------------------------------------------------------------------------------------------------

AWS CloudWatch


CloudWatch is the go-to tool for monitoring in AWS, but it’s not just about keeping an eye on performance and uptime. While its core focus is availability and performance, you can send logs from most AWS services to CloudWatch, making it a versatile tool for security monitoring too. Once logs are in, you can configure alerts and automation rules to respond to security threats.


Here’s how AWS describes it:

"You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly."

It’s important to note that while basic health monitoring with CloudWatch is free, more advanced logging and monitoring will incur additional costs. Many companies have shared their best practices for configuring CloudWatch for security monitoring.


Even commercial security vendors, like TrendMicro and Intelligent Discovery, offer predefined monitoring configurations for CloudWatch, which can also serve as inspiration for setting up your own rules .


CloudWatch has layers of complexity, and while we’re only scratching the surface, it’s worth diving deeper if you want more control over your AWS monitoring. For a deeper look into AWS security monitoring, check out this article:


-------------------------------------------------------------------------------------------------------------------------

AWS GuardDuty

If CloudWatch is AWS’s all-purpose monitor, GuardDuty is the one with laser focus on security threats. GuardDuty scans your environment for suspicious activities across different layers, including:


  • Control plane (via CloudTrail management events)

  • Data plane (monitoring S3 data access)

  • Network plane (checking VPC flow logs and Route53 DNS logs)


GuardDuty uses a mix of anomaly detection, machine learning, and malicious IP lists to detect threats like unauthorized account access, compromised resources, or unusual S3 activity. What’s great is that it does all of this out-of-band, meaning it doesn’t impact the performance of your systems.


Integration with major cybersecurity vendors also adds value to GuardDuty’s alerts, allowing you to get more context and take action across both cloud and on-prem environments. The pricing is based on the volume of events processed, and you can find more details about the costs and alerts it covers.


For a complete list of integrations and partners that enhance GuardDuty, check out the partner directory.


-------------------------------------------------------------------------------------------------------------------------

Amazon Detective

Amazon Detective is like the investigator that steps in after the alarm has been raised. It doesn’t focus on detecting threats like GuardDuty; instead, it helps you respond to them more effectively by adding context to alerts. It pulls data from sources like GuardDuty alerts, CloudTrail logs, and VPC flow logs to give you a clearer picture of what’s happening.


Think of Detective as a tool to help you connect the dots after a security alert. It can be particularly useful when dealing with complex incidents that need deeper investigation. Like other AWS services, it comes with a 30-day free trial, but keep in mind that GuardDuty is a prerequisite for using Detective.


Another useful tool in AWS’s security stack is Security Hub, which consolidates findings from various AWS services like GuardDuty, Macie, and AWS Config into a single dashboard for easier management. This makes it easier to see both preventative and active threat data in one place. I


For more info on Detective, check out the FAQs and their blog post "Amazon Detective – Rapid Security Investigation and Analysis" .


-------------------------------------------------------------------------------------------------------------------------


Conclusion:

AWS offers a powerful suite of tools for monitoring, detecting, and investigating security incidents in your cloud environment. CloudWatch provides a flexible platform for performance and security monitoring, enabling users to set alerts and automate actions based on logs from various AWS services. GuardDuty takes this a step further, focusing specifically on detecting threats across control, data, and network planes using advanced techniques like machine learning and anomaly detection. When a security alert is triggered, Amazon Detective steps in to provide valuable context, helping you analyze and respond effectively to incidents.

Akash Patel

34 views0 comments

Comments


bottom of page