Incident Detection and Response in Amazon Web Services (AWS)

Author Eric Evans

Photo by chuttersnap on Unsplash


Learning how to detect and respond to security events in the cloud is an ever-important topic. It is so essential, that the NIST CyberSecurity Framework breaks down both detection and response as functions that are critical to proper cybersecurity. Detection is best described as the creation of and development related to identifying an occurrence of a potentially nefarious event. Response is best described as the processes that teams (or automation) follows after an event is detected. In this article, we will explore how to use cloud-native tooling to identify and respond against threats in the major cloud service provider - Amazon Web Services (AWS).

Amazon Web Services

AWS has a number of services that can be used for incident detection and response. Most of the services utilize logging services such as CloudWatch and CloudTrail to identify and respond to potential threats. Lambda functions can be used to take an event driven architecture paradigm approach to automatically and quickly respond to threats that are detected. Also note that this is not a comprehensive list of services that can be used to protect your data in AWS but is definitely a good starter for anyone who wants to secure their environments.

Amazon GuardDuty

Amazon GuardDuty is a cloud-native threat detection service offered by AWS that utilizes Amazon’s threat intelligence and machine learning capabilities to keep cloud resources safe. Some of the threats that GuardDuty can detect include backdoors on EC2 instances, cryptocurrency mining, privilege escalation, malicious IP addresses being called, trojans on EC2 instances, and unauthorized access. This service can even help you identify if reconnaissance is actively happening in your environment, with findings associated with penetration testing (Kali Linux, Parrot Linux, Pentoo Linux), SSH brute force and probing of unprotected ports. Each finding is associated with a severity so that you can easily prioritize what to respond to in your cloud environment. GuardDuty can easily be enabled on a per account basis or throughout the entire AWS Organization.

Amazon Inspector

Amazon Inspector helps keep an eye on EC2 instances in your AWS environment. By using Amazon Inspector agents, you can detect violations against benchmarks such as those given by the Centers for Internet Security (CIS) and AWS security best practices. In addition to the agents that are installed on Amazon Inspector, there are also network assessments that Amazon Inspector can detect security vulnerabilities by analyzing your network configurations to find vulnerabilities associated with your EC2 instances – the findings associated with network analyzing includes: network availability, misconfigured security groups, open network access control lists (ACLs), and compromised internet gateways (IGWs). Amazon Inspector can easily be configured through AWS Systems Manager (SSM), AWS API, infrastructure as code, or through the console.

Amazon Macie

A headache to many security teams is the identification of sensitive data in their environments. This is where Amazon Macie comes in to play – Macie uses machine learning and artificial intelligence to detect personally identifiable information (PII) and other potentially sensitive data. Macie checks for data in Amazon Simple Storage Service (S3) buckets. In addition to detecting sensitive data, Macie can find misconfigurations in S3 buckets such as buckets that are accessible to the internet, unencrypted data, and buckets that are shared with other AWS accounts. Macie is also easy to get started with, and only takes a few clicks in the AWS console.

CloudWatch Events

Services such as GuardDuty, Inspector, and Macie write findings to CloudWatch Logs where these can be viewed by security analysts, engineers, and the such to respond to. However, a more hands-off approach is to utilize CloudWatch Events to react to findings that are found using these tools. CloudWatch Events uses data from CloudWatch or CloudTrail logs, finds a pattern that is associated with them (perhaps the creation of an event), and then performs an action as an event in response to the detected incident. Some of the actions that can be performed is: modification of identity and access management (IAM) policies, modification of security groups (firewall rules), running a script on EC2 instances, or invoking a serverless function via AWS Lambda.

Amazon Lambda

Amazon Lambda is an essential part of automating detection in the cloud. Lambda is a service that offers serverless compute – in other words, you can run code without managing servers. Amazon Lambda can be invoked via CloudWatch Events, the Lambda API, or even the AWS SDK/CLI. Lambda functions can be coded in a variety of programming languages including Python, Go, Node.js, Ruby, Java, and even .NET. These scripts can perform actions and interact with AWS resources using their respective SDKs Using Lambda helps create an event driven architecture for your security needs, reducing time to react to potential threats, and decreasing manual efforts associated with incident response in AWS.

Third-Party Tooling

Third Party tooling such as Elastic, Splunk, and Sumo Logic can be used to ingest CloudWatch and CloudTrail logs and analyze them for potential events. The respective tools have mechanisms that can be used to respond to these threats, however the exploration of them is outside of the scope of this blog. Some open source tools that can be used include Diffy, AWS Security Automation, and Panther Labs can be great tools to help detect and respond to threats in AWS.


We have explored a variety of tooling that is available in AWS that can detect threats ranging from compromised EC2 instances, to anomalous network traffic, to escalated IAM privileges. We have also discussed how CloudWatch Logs, CloudWatch Events, and AWS Lambda can work together to create a robust incident detection and response strategy in AWS. There is also a variety of third-party tools that can be used outside of the cloud-native options that we have explored with in this article, however a lot of them require specialized talent and work to configure and maintain. Automation and event driven architecture is extremely important to the cloud and is a paradigm shift in on-premises security versus cloud security.

Here’s to not becoming the next headline - stay safe everyone!

About the author: Eric Evans is a Senior Cloud Security Consultant at ScaleSec, where he enjoys innovating and making the cloud a safer place. Originally a software developer his passion is now focused on DevOps & CyberSecurity.

  • Youtube
  • Github
  • Slack
  • LinkedIn
  • Instagram
  • Facebook
  • Twitter

Copyright CSNP - CyberSecurity NonProfit