Incident Detection and Response in Amazon Web Services (AWS)

Author Eric Evans

Clouds in the sky

Photo by chuttersnap on Unsplash


Learning how to detect and respond to security events in the cloud is an ever-important topic. It is so essential, that the NIST CyberSecurity Framework breaks down both detection and response as functions that are critical to proper cybersecurity. Detection is best described as the creation of and development related to identifying an occurrence of a potentially nefarious event. Response is best described as the processes that teams (or automation) follows after an event is detected. In this article, we will explore how to use cloud-native tooling to identify and respond against threats in the major cloud service provider - Amazon Web Services (AWS).

Amazon Web Services

AWS has a number of services that can be used for incident detection and response. Most of the services utilize logging services such as CloudWatch and CloudTrail to identify and respond to potential threats. Lambda functions can be used to take an event driven architecture paradigm approach to automatically and quickly respond to threats that are detected. Also note that this is not a comprehensive list of services that can be used to protect your data in AWS but is definitely a good starter for anyone who wants to secure their environments.

Amazon GuardDuty

Amazon GuardDuty is a cloud-native threat detection service offered by AWS that utilizes Amazon’s threat intelligence and machine learning capabilities to keep cloud resources safe. Some of the threats that GuardDuty can detect include backdoors on EC2 instances, cryptocurrency mining, privilege escalation, malicious IP addresses being called, trojans on EC2 instances, and unauthorized access. This service can even help you identify if reconnaissance is actively happening in your environment, with findings associated with penetration testing (Kali Linux, Parrot Linux, Pentoo Linux), SSH brute force and probing of unprotected ports. Each finding is associated with a severity so that you can easily prioritize what to respond to in your cloud environment. GuardDuty can easily be enabled on a per account basis or throughout the entire AWS Organization.

Amazon Inspector

Amazon Inspector helps keep an eye on EC2 instances in your AWS environment. By using Amazon Inspector agents, you can detect violations against benchmarks such as those given by the Centers for Internet Security (CIS) and AWS security best practices. In addition to the agents that are installed on Amazon Inspector, there are also network assessments that Amazon Inspector can detect security vulnerabilities by analyzing your network configurations to find vulnerabilities associated with your EC2 instances – the findings associated with network analyzing includes: network availability, misconfigured security groups, open network access control lists (ACLs), and compromised internet gateways (IGWs). Amazon Inspector can easily be configured through AWS Systems Manager (SSM), AWS API, infrastructure as code, or through the console.

Amazon Macie

A headache to many security teams is the identification of sensitive data in their environments. This is where Amazon Macie comes in to play – Macie uses machine learning and artificial intelligence to detect personally identifiable information (PII) and other potentially sensitive data. Macie checks for data in Amazon Simple Storage Service (S3) buckets. In addition to detecting sensitive data, Macie can find misconfigurations in S3 buckets such as buckets that are accessible to the internet, unencrypted data, and buckets that are shared with other AWS accounts. Macie is also easy to get started with, and only takes a few clicks in the AWS console.

CloudWatch Events

Services such as GuardDuty, Inspector, and Macie write findings to CloudWatch Logs where these can be viewed by security analysts, engineers, and the such to respond to. However, a more hands-off approach is to utilize CloudWatch Events to react to findings that are found using these tools. CloudWatch Events uses data from CloudWatch or CloudTrail logs, finds a pattern that is associated with them (perhaps the creation of an event), and then performs an action as an event in response to the detected incident. Some of the actions that can be performed is: modification of identity and access management (IAM) policies, modification of security groups (firewall rules), running a script on EC2 instances, or invoking a serverless function via AWS Lambda.

Amazon Lambda

Amazon Lambda is an essential part of automating detection in the cloud. Lambda is a service that offers serverless compute – in other words, you can run code without man