Security is essential for every organization, that’s why Automat-IT pays great attention to it during project delivery and well-architected review. AWS has several really impressive security related services that help us build a safe infrastructure and continuously monitor compliance. In the previous post we demonstrated how to enable AWS Security Hub for a multi-account AWS environment. We suggest our customers enable AWS Security Hub along with given integrations, like GuardDuty, Inspector, Macie, Detective, IAM Access Analyzer, Audit Manager and Chatbot, which will be described in this post.
Amazon GuardDuty integration
Automat-IT enables Amazon GuardDuty by default in every project since the service was released. We described how we deploy this thread detection system in a multi-account AWS environment in the previous post. Here we will look at GuardDuty integration into AWS Security Hub.
Once you enable Amazon GuardDuty and AWS Security Hub, findings are automatically delivered to the Security Hub console.
Amazon GuardDuty findings from all accounts within AWS Organizations are displayed in the AWS Security Hub console in the central Audic account.
Amazon Macie integration
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).
Amazon Macie allows the centralized account as we have in GuardDuty. Audit account is central for Amazon Macie and member accounts are invited to join.
Summary shows overall status for S3 service including public access and encryption configuration.
Moreover Amazon Macie allows to run Scheduled or One-time jobs and scan objects for sensitive data in selected buckets.
In the following example the scanning job has found several issued, including personal data and credentials in txt files and zip archives:
When we downloaded the mentioned zip archive with a finding “Credentials”, we saw a private key inside.
Once you enable Amazon Macie and AWS Security Hub, findings are automatically delivered to the Security Hub console.
Amazon Macie findings from all accounts within AWS Organizations are displayed in the AWS Security Hub console in the central Audic account.
You can quickly get started with Macie leveraging the 30-day free trial. By enabling the service, only the S3 bucket inventory and bucket-level evaluation charges apply and those come at no-cost for the first 30 days. After the first 30 days, the bucket evaluation will cost $0.10 per S3 bucket. First 1 GB / month of data processing is free, next 50,000 GB / month - $1.00 per GB.
IAM Access Analyzer integration
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. An external entity can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, an anonymous user, or other entity that you can use to create a filter.
Despite having IAM in the name, IAM Access Analyzer is a regional service. It analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.
By default the AWS organization master account is administrator for IAM Access Analyzer in a multi-account environment, but you can delegate an administration (it’s again will be the Audit account).
We can create an analyzer for the current AWS account or for the whole AWS organization, as in the following example:
If some findings are not relevant, you can configure an archive rule with different conditions that will automatically archive findings, for example we have the finding above that shows that an external principal Cloudfront (with an origin access identity) accesses S3 bucket. We know that it is intended access and expected for us, so we don’t need such notification.
Once you enable IAM Access Analyser and AWS Security Hub, findings are automatically delivered to the Security Hub console.
IAM Access Analyzer policy validation is available at no additional cost in all commercial AWS Regions, AWS China regions, and AWS GovCloud (US).
Amazon Detective integration
Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations.
As other above mentioned AWS security services, Amazon Detective can be configured in a centralized manner. The “Audit” AWS account is an administrator that invites other accounts.
In the Amazon Detective summary we have three tabs. The first on is “Roles and users with the most API call volume in the past 24 hours”