Guard Duty: (Region Specific)
Threat Intelligence Service which monitors cloustrail logs, VPC flow logs and DNS logs.
GuardDuty will only monitor Route 53 of DNS Logs, Active Directory DNS or other DNS Logs are not monitored
Alert Whitelist: Trusted IP List, Archive alerts after fixing, Suppress by Finding Type like Filters
FInding types: EC2, S3, IAM
Master Account(Guard Duty) Invite Member Account to merge findings of member account
Incident Response:
Plan:
Preperation
Detection
Containment
Investigation
Recovery
Lessons
Preparation Phase:
Ensure logging is enabled with help of CloudTrail, VPC flow logs,EC2 instances
Detection Phase:
Cloudwatch Alarms, SNS, GuardDuty
Containment Phase:
Automated AWS CLI scripts
Investigation Phase:
Cloudwatch Logs
AWS Configs
Recovery Phase:
User Prebuilt AMIs for the application to launch fresh new App server.
(a) AWS Credentials Leaked:
Points to remember:
Disabling the credentials should be done and not deleting the credentials
Explicit Deny for IAM users in Json to stop access with Temporary credential access
Watch CloudTrail Logs for review
(b) EC2 compromised:
Allowed Services for Penetration Testing without pre approval:
- EC2,NAT Gateways, ELB
- RDS
- CloudFront
- Aurora
- API GAteways
- Lamda and Lamda Edge Functions
- LightSail Resouces
- Elastic Beanstalk
Not supported EC2:
T3/T2 Nano
T1 Micro
M1 small
Shared Responsibility Model
