This document outlines an AWS security workshop on threat detection and response. The workshop is divided into four modules: 1) building detective controls in the AWS environment, 2) simulating an attack, 3) detecting and responding to the attack, and 4) reviewing what happened and cleaning up resources. The document provides an agenda, prerequisites, and step-by-step instructions to guide participants through setting up AWS services for threat monitoring, launching an attack, and using services like GuardDuty, Macie and CloudWatch Events to detect and respond to security threats.

1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Find all the threats:
AWS threat detection & remediation
Ross Warren
Solutions Architect, Security Specialized
Amazon Web Services
S E C 3 0 3
Roger Cheeks
Solutions Architect, Security Specialized
Amazon Web Services

2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Prerequisites - Please complete while waiting
1) Create an AWS
account that’s not
work-related.
Admin IAM user:
Make an IAM user
account if you
haven’t already.
AWS credits will be
provided.

3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop agenda
• Module 1: Environment setup (20 min.)
• Module 2: Attack kickoff (and presentation) (40 min.)
• Module 3: Detect, investigate & respond (45 min.)
• Module 4: Review, questions & cleanup (15 min.)
Use: US West (Oregon)
us-west-2
PLEASE FOLLOW DIRECTIONS

4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS account housekeeping
• You need an AWS account. Don’t use one of your work accounts.
https://aws.amazon.com/
• Credits will be provided. The credit form has info on how to enter it.
https://console.aws.amazon.com/billing/home?#/credits
My Account / Billing / Credits
• Please use an AWS Identity and Access Management (IAM) user with
administrative access, not the root user.
• The facilitators will be walking around to help set up AWS accounts, enter
credits, etc.

5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Source: 2018 Data Breach Investigation Report, Verizon, 11th edition 2018
Data Breach Patterns
Verizon 2018 data breach investigations report

6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop scenario
Internet
Users
Public subnet
AWS Cloud
Availability Zone
Web server
VPC
S3 Bucket
Bare Minimum Architecture for POC

7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 1 - Build detective controls
• Run the AWS CloudFormation template (~5 min.)
Before moving on, make sure the stack status
= CREATE_COMPLETE
You will get an email from Amazon SNS asking you to confirm the
subscription. Confirm the subscription so you can receive email
alerts from AWS services during the workshop.
• Manual setup steps (~15 min.)

8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Detect and investigate
AWS Security
Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
Logs
VPC Flow Logs
DNS Logs
Amazon
Inspector
Amazon
S3
AWS Lambda
Amazon SNS
Security analyst
Respond
Module 1 - Build detective controls

9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
https://tinyurl.com/yb5zv99e
Directions
1. Browse to URL.
2. Read through the workshop scenario.
3. Click Module 1: Environment Build in the outline on the left.
4. Complete the module (~15 min.), and then stop.
Use: US West (Oregon)
us-west-2
PLEASE FOLLOW DIRECTIONS
Do not skip the Manual steps
Module 1 - Build detective controls

10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use: US West
(Oregon)
us-west-2
https://tinyurl.com/yb5zv99e
DonotskiptheManualsteps

11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2 - Attack kickoff
• Run the AWS CloudFormation template (~5 min.)
Do not move on to Module 3
• Threat detection and response presentation (~30 min.)
• Workshop walkthrough (~5 min.)

12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
https://tinyurl.com/yb5zv99e
Directions
1. Browse to URL.
2. Click Module 2: Attack Simulation in the outline on the left.
3. Complete the module (~5 min.). Then stop.
4. Do not move on to Module 3.
Module 2 - Attack kickoff Use: US West (Oregon)
us-west-2

13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use: US West
(Oregon)
us-west-2
https://tinyurl.com/yb5zv99e

14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection and response: Introduction

15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why is threat detection so hard?
Skills shortageSignal to noiseLarge datasets

16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF – Web application
firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private Cloud
(Amazon VPC)
AWS Key Management Service
(AWS KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-side encryption
AWS Config Rules
AWS Lambda
AWS Systems Manager
Identity Detect
Infrastructure
protection
Respond
Data
protection
Deep set of security tools

17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS threat detection services

18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Log data inputs
DNS Logs
Track user activity
and API usage
IP traffic to/from network
interfaces in a VPC
Monitor apps using log
data, store & access log
files
Log of DNS queries in a
VPC when using the VPC
DNS resolver
AWS CloudTrail Flow logs Amazon CloudWatch

19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Machine learning
Intelligent threat detection and
continuous monitoring to protect your
AWS accounts and workloads
Machine learning-powered security
service to discover, classify, and protect
sensitive data
Amazon GuardDuty Amazon Macie

20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: Evocations and triggers
Continuously tracks your resource
configuration changes and if they
violate any of the conditions in your
rules
Delivers a near-real-time stream of
system events that describe changes
in AWS resources
Amazon CloudWatch
Events
AWS Config

21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat detection: AWS Security Hub (in preview)
• Comprehensive view of your security and compliance state within AWS
• Aggregates security findings generated by other AWS security services and
partners
• Analyze security trends and identify the highest-priority security issues
Amazon
Inspector
Amazon
GuardDuty
Amazon
Macie
AWS Security Hub
Security
findings
providers
Findings
Insights
&
standards
Other
AWS
Config
Partner
solutions

22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Respond

23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Amazon CloudWatch Events
Amazon GuardDuty findings
Lambda
function
Partner
solutions
Automated
response
Anything
else
Amazon CloudWatch
Events

24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Services
AWS Systems
Manager
AWS
Lambda
Amazon
Inspector
Run code for virtually
any kind of application
or backend service—
zero administration
Gain operational
insights and take action
on AWS resources
Automate security
assessments of Amazon
EC2 instances

25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: High-level playbook
Adversary
or intern
Your environment Lambda
function
CloudWatch Events

26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Threat response: Detailed playbook
Amazon
CloudWatch
Events
AWS
CloudTrail
AWS Config
Lambda
function
AWS APIs
Detect
Investigate
Respond
Team
collaboration
(Slack, etc.)
Amazon
GuardDuty
VPC Flow Logs
Amazon
Inspector
Amazon Macie
AWS Security Hub

27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Workshop walkthrough

28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2 - Attack target
InternetUsers
Public subnet
AWS Cloud
Availability Zone
Web server
VPC
S3 Bucket

29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2 - Setup
AWS Lambda
Amazon SNS
Security analyst
RespondDetect and investigate
AWS Security
Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
Logs
DNS Logs
Amazon
Inspector
Amazon
S3
VPC Flow Logs
Public subnet
AWS Cloud
Availability Zone
Web
server
VPC
Environment
Bucket

30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 2 - The attack
AWS Cloud
Amazon API
endpoints
Bucket
Public subnet
AWS Cloud
Availability Zone
VPC
Amazon EC2
compromised instance
Internet
Malicious Host

31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 3 - Detection and response
https://tinyurl.com/yb5zv99e
Directions
1. Browse to URL.
2. Click Module 3: Detect & Respond in the outline on the left.
3. Run through the module. (~45 min.)
Use: US West (Oregon)
us-west-2

32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use: US West
(Oregon)
us-west-2
https://tinyurl.com/yb5zv99e

33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Review, questions, and cleanup

34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4 - What happened?
• Review (5 min.)
• Questions (10 min.)
• Cleanup

35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4 - What happened?
https://tinyurl.com/yb5zv99e
Directions
1. Browse to URL.
2. Click Module 4: Discussion in the outline on the left.
3. We will do a summary of the workshop then questions.
4. Account cleanup instructions are toward the end of the page.
Use: US West (Oregon)
us-west-2

36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use: US West
(Oregon)
us-west-2
https://tinyurl.com/yb5zv99e

37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Scenario discussion

38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4 - The attack
AWS Cloud
Amazon API
endpoints
Bucket
Public subnet
AWS Cloud
Availability Zone
VPC
Amazon EC2
compromised instanceMalicious host
Internet
1 2
3
4
API calls
Bucket changes
SSH brute force attack

39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Module 4 - What really happened?
AWS Lambda
Amazon SNS
Security Analyst
RespondDetect and investigate
AWS Security
Hub
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
Amazon
CloudWatch
Events
Amazon
CloudWatch
Logs
DNS logs
Amazon
Inspector
Amazon
S3
VPC Flow Logs
AWS Cloud
VPC
Public subnet
Compromised
instance
Subnet 2
Elastic IP in custom
Threat List
Availability Zone
Public subnet
Malicious host
Subnet 1
Bucket
The Attack
1 2
43
API callsBucket
changes
Amazon API
endpoints
SSH Brute Force Attack
5
Amazon
Inspector
Inspector
assessment

40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Questions

41. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Cleanup
If you haven’t already, please do the Cleanup section of Module #4.

42. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
• AWS Cloud Security: https://aws.amazon.com/security/
• Verizon 2018 Data Breach Investigations Report: https://enterprise.verizon.com/resources/reports/dbir/
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• Cloud Adoption Framework, Security Perspective whitepaper:
https://d0.awsstatic.com/whitepapers/AWS_CAF_Security_Perspective.pdf
• Vulnerability and Penetration Testing: https://aws.amazon.com/security/penetration-testing/
Useful links

43. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.