Through Chapters 1 to 3, you may have recognized the importance of the cloud in today’s technological landscape, and with any technological innovation comes threats against it. As organizations use more cloud products and host and store personal or sensitive information, it is prone to unauthorized disclosure, accidentally or by threat actors exploiting a vulnerability in the configuration of the systems. This chapter will focus on how to handle incidents that have occurred within Amazon Web Services (AWS). We will discuss various log sources that are available for investigators and how investigators can make use of these log sources.

Before we can begin our investigation, we will need to understand which logs are available by default versus which log sources must be explicitly turned on; something organizations should consider for ensuring breaches can be investigated thoroughly. We will focus on configuring these logs and look at...

We briefly introduced VPC in Chapter 3. VPC is the core of the network configuration for every instance within AWS. Each AWS instance (Elastic Compute Cloud (EC2)) is assigned a VPC and uniquely identified using a VPC ID. VPC allows users complete control of the network environment, including defining specific IP addresses (non-public routable IPs), subnets, and security groups. Users can also configure a virtual private network (VPN) through their VPC connection. In default configurations, AWS will automatically create a VPC for every new instance of EC2. Users can also connect their EC2 instance to an existing preconfigured VPC instead.

All VPCs have a VPC identifier (VPC ID). The VPC ID is the single reference point for all network-related configuration items. For each instance, if you want to configure any network properties within AWS, you must look into each VPC specifically. In the next example, for a specific EC2 instance, certain details are captured for VPC...

Amazon S3 is a very popular cloud storage service that is highly scalable and dependable for data storage and retrieval. S3 provides high availability (HA), storage performance, and accessibility of any amount of data from around the world.

In AWS, S3 operates on buckets, which contain objects. Objects are any files, documents, images, and videos. Each object is identified using a unique identifier known as the key that serves within a bucket. A bucket can be visualized as a folder that contains all the objects.

Logging options

Access logs record information about the requests made to an Amazon S3 bucket, including details such as request information, specific resource requests, and the time and date of the request. Amazon S3 uses a specific internal account to write server access logs, which requires AWS account owners to configure explicit permission within their IAM modules to allow S3 to log server access requests.

Note

Note that S3 access logs are...

AWS CloudTrail records activities performed on the management console of AWS accessing any AWS resource—for example, an EC2 instance created or terminated, changes to the VPC settings, and so on. Any activity on the management console of AWS is recorded as an event within CloudTrail.

CloudTrail consolidates detailed action log events in a centralized location and provides a comprehensive and unified view of account’s activity, making it easier to search, analyze, download, and respond to account activity across your AWS infrastructure. It also identifies what actions were performed by which user and any other details that help DFIR teams analyze and respond to an incident in AWS.

CloudTrail logs can be integrated into CloudWatch to query activities and perform further analysis. We will discuss CloudWatch in the next section.

The following screenshot demonstrates an example of a CloudWatch dashboard:

Figure 4.8 –...

AWS CloudWatch monitors your AWS resources in near real time. You can collect and monitor resource usage and key metrics in a SPOG view. CloudWatch presents every resource metric on its dashboard for quick view. However, for DFIR teams, CloudWatch can query certain logs to support an investigation.

From a security perspective, CloudWatch is a log management solution that can centrally collect and monitor logs from systems, applications, and resources. It offers log analytics on top to allow interactive searching and analysis capabilities. Similar to CloudTrail, CloudWatch offers log exports via S3 buckets. Note that logs in CloudWatch never expire and are retained indefinitely. Administrators can change the retention policy and choose between a log retention of a day or up to 10 years. Alternatively, organizations can send CloudWatch logs to an SIEM solution via an API for centralized monitoring and management of logs.

CloudWatch is a service that allows you to...

GuardDuty is a threat detection service designed to help protect AWS resources and workloads by continuously monitoring for malicious activity and unauthorized behavior. Note that this is a detection service and not a response service. It detects and notifies the user of a potential threat within an AWS resource. However, integration with automated services such as Lambda will enhance GuardDuty’s capabilities to respond to threats based on established playbooks for each threat detected. GuardDuty uses ML, anomaly detection, and integrated TI to identify potential security threats within your AWS environment.

Some DFIR use cases are as follows:

• Threat detection: GuardDuty analyzes CloudTrail logs, VPC flow logs, and DNS logs to detect indicators of compromise (IOCs) and potential threats. It applies ML algorithms to identify patterns and anomalies that might indicate malicious activities, such as unauthorized access attempts, reconnaissance, or instances...

Amazon Detective helps DFIR teams analyze, investigate, and visualize security data from various AWS services. It automatically collects and analyzes log data from AWS CloudTrail, Amazon VPC flow logs, and Amazon GuardDuty to provide insights into potential security vulnerabilities and suspicious activities within an AWS environment. Some of the capabilities of Amazon Detective are as follows:

• Security graph: Amazon Detective uses a graph-based approach to visualize and analyze security-related data by creating a graphical representation of AWS resources, accounts, and their relationships, allowing DFIR teams to identify patterns, anomalies, and potential security threats quickly.
• Automated data ingestion: Amazon Detective automatically collects and ingests data from AWS CloudTrail, Amazon VPC flow logs, and Amazon GuardDuty for aggregating and processing to provide insights and recommendations.
• Threat hunting: Amazon Detective enables DFIR teams with...

To summarize, AWS offers integration of API logs and generic event logs and provides a SPOG to determine threat actor activity or an insider threat within an AWS account. With CloudWatch and CloudTrail, DFIR teams can natively investigate AWS using AWS’s tools and identify activities an unauthorized user performs at a granular level. Furthermore, resources such as EC2 and S3 offer additional information concerning the configuration that allows DFIR teams to deduce and obtain further information for investigations. Remember that some security solutions, such as VPC flow logs, are not enabled by default and require the account owner or administrator to allow them explicitly. Integrating CloudTrail logs with CloudWatch and enabling Amazon GuardDuty offers DFIR teams a deep insight into threats within an AWS account and resources without explicitly going through deployments of security tools. Enabling GuardDuty and, subsequently, Amazon Detective allows telemetric information...

• CIDR/VLSM Calculator: https://www.subnet-calculator.com/cidr.php
• Port number assignments: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
• CloudTrail concepts: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-data-events
• The cyber Swiss Army knife – a web app for encryption, encoding, compression, and data analysis: https://gchq.github.io/CyberChef/
• Amazon GuardDuty – malware protection for Amazon EBS volumes: https://aws.amazon.com/blogs/aws/new-for-amazon-guardduty-malware-detection-for-amazon-ebs-volumes/
• Bitdefender and Amazon Web Services Strengthen Cloud Security: https://businessinsights.bitdefender.com/bitdefender-and-amazon-web-services-strengthen-cloud-security
• Introduction to GuardDuty malware protection: https://www.cloudhesive.com/blog-posts/new-guardduty-malware-protection/
• Prisma Cloud Supports Amazon GuardDuty...