AWS CloudTrail helps you discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account within a specified period of time. In this session, you learn about the AWS CloudTrail service and its value for security operations. The session dives deep into sources of data enrichment and reviews how to leverage AWS CloudTrail as part of your security operations and incident response procedures.
YouTube: https://www.youtube.com/watch?v=Tr78kq-Oa70
AWS reInforce 2021: TDR202 - Lessons learned from the front lines of Incident...Brian Andrzejewski
The document provides an overview of lessons learned from the front lines of incident response. It discusses common causes of customer security events like insecure AWS resource configurations, unintended disclosure of credentials, and lack of vulnerability management. It outlines critical security patterns to prevent and detect these issues using AWS services like IAM, GuardDuty, and Security Hub. The presentation aims to help customers reduce security risks and recommends next steps like improving the top 10 security items in their AWS accounts.
by Michael St. Onge, Global Cloud Security Architect, AWS
Responding to an incident requires that you’re aware that an incident exists. To be aware that an incident exists, you have to know where to look and what to look for. In this session, you will learn the tools and techniques to take in the breadth of visibility that AWS offers to your environment as well as some ideas on how to inspect events of interest and identify indicators of compromise. Level 200
The document provides an overview of threat detection and remediation services on AWS, including Amazon GuardDuty for threat detection, Amazon Macie for data security, AWS WAF for web application firewall, AWS Shield for DDoS protection, and how these services can work together for security. It describes the services' capabilities for detecting known threats using threat intelligence, detecting unknown threats using anomaly detection, and providing actionable findings to help remediate issues.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.
The document discusses how AWS can help customers achieve compliance with the General Data Protection Regulation (GDPR). It provides an overview of the GDPR, what it regulates, and potential consequences for non-compliance. It then outlines specific AWS services, tools, and features that can help customers implement appropriate technical and organizational measures for security, encryption, access control, monitoring, and logging as required by the GDPR. The document emphasizes that GDPR compliance is a shared responsibility between AWS as the processor and customers as controllers.
AWS reInforce 2021: TDR202 - Lessons learned from the front lines of Incident...Brian Andrzejewski
The document provides an overview of lessons learned from the front lines of incident response. It discusses common causes of customer security events like insecure AWS resource configurations, unintended disclosure of credentials, and lack of vulnerability management. It outlines critical security patterns to prevent and detect these issues using AWS services like IAM, GuardDuty, and Security Hub. The presentation aims to help customers reduce security risks and recommends next steps like improving the top 10 security items in their AWS accounts.
by Michael St. Onge, Global Cloud Security Architect, AWS
Responding to an incident requires that you’re aware that an incident exists. To be aware that an incident exists, you have to know where to look and what to look for. In this session, you will learn the tools and techniques to take in the breadth of visibility that AWS offers to your environment as well as some ideas on how to inspect events of interest and identify indicators of compromise. Level 200
The document provides an overview of threat detection and remediation services on AWS, including Amazon GuardDuty for threat detection, Amazon Macie for data security, AWS WAF for web application firewall, AWS Shield for DDoS protection, and how these services can work together for security. It describes the services' capabilities for detecting known threats using threat intelligence, detecting unknown threats using anomaly detection, and providing actionable findings to help remediate issues.
AWS and its partners offer a wide range of tools and features to help you to meet your security objectives. These tools mirror the familiar controls you deploy within your on-premises environments. AWS provides security-specific tools and features across network security, configuration management, access control and data security. In addition, AWS provides monitoring and logging tools to can provide full visibility into what is happening in your environment. In this session, you will get introduced to the range of security tools and features that AWS offers, and the latest security innovations coming from AWS.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
DevSecOps is the premise that everyone in the software development lifecycle is responsible for security. DevSecOps aims to embed security in every part of the development process. In this *workshop*, participants explore taking a standard CI/CD pipeline and adding security stages to improve security posture. Learn how to use AWS CodeCommit and AWS CodePipeline to build and publish golden AMI images. Also, learn how to modify pipeline flow to add security test cases. You also have to opportunity to perform CVE analysis and code analysis using Amazon Inspector and perform observational container analysis using Amazon GuardDuty.
The document discusses how AWS can help customers achieve compliance with the General Data Protection Regulation (GDPR). It provides an overview of the GDPR, what it regulates, and potential consequences for non-compliance. It then outlines specific AWS services, tools, and features that can help customers implement appropriate technical and organizational measures for security, encryption, access control, monitoring, and logging as required by the GDPR. The document emphasizes that GDPR compliance is a shared responsibility between AWS as the processor and customers as controllers.
This document discusses building applications securely on AWS. It outlines the shared responsibility model between AWS and customers, with AWS responsible for security of the cloud infrastructure and customers responsible for their applications and data. It describes the Shellshock vulnerability timeline and impact. It provides recommendations for reviewing VPC configuration, network access controls, and security groups. It also recommends automating deployment from known good AMIs, applying intrusion prevention, and using integrity monitoring to maintain the known good state.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
AWS Security, Identity, & Compliance - An Overview: AWS Security Week at the San Francisco Loft
Presenter: William Reid, CISM, FIP
Head of Security and Compliance Solution Architecture, AWS
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
The document discusses security best practices for using AWS. It notes that security is a shared responsibility between AWS and customers, with AWS managing security of the cloud infrastructure and customers responsible for security in their use of AWS services. It outlines the AWS Cloud Adoption Framework security perspective, including identity and access management, detective controls, infrastructure security, data protection, and incident response. The document emphasizes that security principles for the cloud are similar to traditional IT but can be applied more efficiently and at larger scale through automation. It provides examples of AWS security services that customers can use to implement best practices.
This document summarizes a presentation about securing data on AWS. It discusses how AWS can provide more security than on-premises environments through automated logging and monitoring, simplified access controls, and built-in encryption. It also outlines how AWS and customers share responsibility for security, with AWS managing the security of the cloud infrastructure and customers defining access and encryption controls for their applications and data. The presentation then demonstrates FireEye's Threat Analytics Platform for providing cloud-based threat detection, investigation, and response capabilities tailored for AWS environments.
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
by Fritz Kunstler, Sr. AWS Security Consultant, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop. Level 200
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to protect the security of our customers content is of utmost importance to AWS, as is maintaining customer trust and confidence. Under the AWS shared responsibility model, AWS provides a secure global infrastructure, including compute, storage, networking and database services, as well as a range of high level services.
AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives.
Topics covered include:
• The AWS approach to security and how responsibilities are shared between AWS and our customers
• How to build your own secure virtual private cloud and integrate it with your existing solutions
• How to use AWS Identity and Access Management to securely manage and operate your applications
• Best practices for securing your AWS account, your content and your applications
View a recording of this webinar here: http://youtu.be/Ihe_8o00-WI
This document discusses AWS and cloud adoption journeys. It describes typical stages of adoption including project, foundation, migration, and reinvention stages. It recommends initial steps for a cloud journey such as creating a minimum viable product, cloud center of excellence, and discovery workshop. The document provides examples of customer cloud journeys over multiple years and discusses concepts like landing zones, account structure, network setup, identity and access management, and service catalog.
This document summarizes a presentation about security on AWS. It discusses that security is a shared responsibility between AWS and customers. AWS provides security capabilities across people and procedures, network security, physical security, and platform security. Customers are responsible for security controls like access management, data handling, and incident response. The presentation emphasizes that customers have visibility, auditability, and control over their environments on AWS to securely manage access, encrypt data, and monitor systems. It provides examples of how AWS services like CloudTrail, IAM, and encryption help customers securely use AWS.
1) The document discusses several AWS security services including IAM Access Analyzer, Amazon CodeGuru, S3 Access Points, AWS WAF Managed Rules, and VPC Ingress Routing.
2) IAM Access Analyzer continuously analyzes IAM policies to identify public access to resources, while CodeGuru helps improve code quality through automated code reviews.
3) S3 Access Points provide simplified controls for shared buckets, and WAF Managed Rules help protect applications from common threats through automatically updated rules.
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
In this webinar, you’ll learn how AWS HIPAA Eligible Services can help you build secure workloads to handle PHI in compliance with HIPAA and HITRUST standards. AWS Healthcare experts will be joined in this webinar by AWS Partner Network (APN) Partners ClearDATA and Cloudticity.
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
by Quint Van Deman, Sr. Business Development Manager, AWS
Across the AWS customer base there's a wide spectrum of experience levels. In this session, we'll dive deep into a number of advanced patterns that some of our most advanced customers are using to make themselves successful. By equipping you with these deep learnings, you'll be able to raise the bar within your organization, allowing you to achieve greater levels of control, speed, and visibility at a greatly accelerated pace. Level 400
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
This document discusses how AWS Control Tower can be used to govern multi-account AWS environments at scale. It provides an overview of AWS Control Tower's key capabilities including automated setup of a landing zone with best practice blueprints and guardrails, account factory for provisioning accounts, centralized identity and access management, and built-in monitoring and notifications. Examples are also given of how AWS Control Tower can be used to implement common multi-account architectures and operational models.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability and control. You have to know what you have and where it is before you can assess the environment against best practices and internal or compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says: "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish.
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
Slides from my Dev Chat at the Atlanta AWS Summit.
or How 4th Grade Math, Spreadsheets and a lot of Lambda improved my employer's cloud security posture.
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
Hosting workloads on AWS provides organizations with agility, speed, efficiency, and reduced costs. Check Point vSEC further enhances this experience by delivering advanced, multi-layered threat prevention security for your AWS workloads, protecting assets and enabling secure connectivity from enterprise networks to your AWS resources. Register for our upcoming webinar to learn how Check Point vSEC on AWS provided customers with an advanced threat prevention solution to enable secure application delivery. Learn how to migrate your applications and workloads to AWS with vSEC’s comprehensive security solution tailored to help protect your cloud environment.
Join us to learn:
• How Check Point vSEC enabled customers to confidently migrate from an on-premises infrastructure to AWS
• How to prevent network attacks and data breaches when hosting workloads in a cloud-based environment
• How Courtagen Life Sciences secured their cloud environment to maintain compliance, reduce IT expenses and leverage the full capabilities of the AWS Cloud
Who should attend:
IT Admins, Security Admins, Cloud Admins, Business Decision Makers, Compliance & governance officers, Line of Business leaders, DevOps engineers & architects
We are all, now more than ever, spending more time online in our day-to-day lives. More and more startups are using the power of cloud to set up their next disruptive product. The concept of managing information on the cloud and protecting it, thankfully, is not something new and every cloud vendor has an abundance of security tooling available for us to leverage when setting up our next big cloud project. So with that in mind the following presentation aims to provide you with a general overview of AWS Security Tooling and the roles that each of the tools play in the Security & Compliance lifecycle. We will also deep dive a bit into two tools, namely Guard duty and Security Hub.
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
This document provides an overview of techniques for wrangling security events in the AWS cloud. It discusses how to leverage AWS services like CloudTrail, CloudWatch, and Config to detect, investigate, and respond to potential security incidents. Specific example events covered include CloudTrail logging being disabled, MFA removal, S3 object deletions, anomalous logins, open security groups, and use of unapproved AMIs. For each, it outlines approaches for detection, recovery, investigation, and protecting against future occurrences. The document emphasizes the ability of AWS' programmatic interfaces to automate security monitoring and incident response.
This document discusses building applications securely on AWS. It outlines the shared responsibility model between AWS and customers, with AWS responsible for security of the cloud infrastructure and customers responsible for their applications and data. It describes the Shellshock vulnerability timeline and impact. It provides recommendations for reviewing VPC configuration, network access controls, and security groups. It also recommends automating deployment from known good AMIs, applying intrusion prevention, and using integrity monitoring to maintain the known good state.
AWS provides a range of security services and features that AWS customers can use to secure their content and applications and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organisation's security and compliance objectives.
AWS Security, Identity, & Compliance - An Overview: AWS Security Week at the San Francisco Loft
Presenter: William Reid, CISM, FIP
Head of Security and Compliance Solution Architecture, AWS
Managing Security with AWS | AWS Public Sector Summit 2017Amazon Web Services
The document discusses security best practices for using AWS. It notes that security is a shared responsibility between AWS and customers, with AWS managing security of the cloud infrastructure and customers responsible for security in their use of AWS services. It outlines the AWS Cloud Adoption Framework security perspective, including identity and access management, detective controls, infrastructure security, data protection, and incident response. The document emphasizes that security principles for the cloud are similar to traditional IT but can be applied more efficiently and at larger scale through automation. It provides examples of AWS security services that customers can use to implement best practices.
This document summarizes a presentation about securing data on AWS. It discusses how AWS can provide more security than on-premises environments through automated logging and monitoring, simplified access controls, and built-in encryption. It also outlines how AWS and customers share responsibility for security, with AWS managing the security of the cloud infrastructure and customers defining access and encryption controls for their applications and data. The presentation then demonstrates FireEye's Threat Analytics Platform for providing cloud-based threat detection, investigation, and response capabilities tailored for AWS environments.
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
by Fritz Kunstler, Sr. AWS Security Consultant, AWS
In AWS, identity comes first. Before you can provision buckets, instances, VPCs, or any other infrastructure, you have to have an identity to authenticate and authorize those API calls. In this session, we'll rapidly immerse you in the fundamental primitives, mental models, and implementation patterns of the core AWS identity services such as AWS Identity & Access Management and AWS Organizations. With this knowledge in hand you'll be able to confidently construct a solid identity foundation for your workloads to sit atop. Level 200
Journey Through the Cloud - Security Best Practices on AWSAmazon Web Services
Amazon Web Services (AWS) delivers a scalable cloud computing platform with high availability and dependability, offering flexibility for customers to build a wide range of applications. Helping to protect the security of our customers content is of utmost importance to AWS, as is maintaining customer trust and confidence. Under the AWS shared responsibility model, AWS provides a secure global infrastructure, including compute, storage, networking and database services, as well as a range of high level services.
AWS provides a range of security services and features that AWS customers can use to secure their content and meet their own specific business requirements for security. This presentation focuses on how you can make use of AWS security features to meet your own organization's security and compliance objectives.
Topics covered include:
• The AWS approach to security and how responsibilities are shared between AWS and our customers
• How to build your own secure virtual private cloud and integrate it with your existing solutions
• How to use AWS Identity and Access Management to securely manage and operate your applications
• Best practices for securing your AWS account, your content and your applications
View a recording of this webinar here: http://youtu.be/Ihe_8o00-WI
This document discusses AWS and cloud adoption journeys. It describes typical stages of adoption including project, foundation, migration, and reinvention stages. It recommends initial steps for a cloud journey such as creating a minimum viable product, cloud center of excellence, and discovery workshop. The document provides examples of customer cloud journeys over multiple years and discusses concepts like landing zones, account structure, network setup, identity and access management, and service catalog.
This document summarizes a presentation about security on AWS. It discusses that security is a shared responsibility between AWS and customers. AWS provides security capabilities across people and procedures, network security, physical security, and platform security. Customers are responsible for security controls like access management, data handling, and incident response. The presentation emphasizes that customers have visibility, auditability, and control over their environments on AWS to securely manage access, encrypt data, and monitor systems. It provides examples of how AWS services like CloudTrail, IAM, and encryption help customers securely use AWS.
1) The document discusses several AWS security services including IAM Access Analyzer, Amazon CodeGuru, S3 Access Points, AWS WAF Managed Rules, and VPC Ingress Routing.
2) IAM Access Analyzer continuously analyzes IAM policies to identify public access to resources, while CodeGuru helps improve code quality through automated code reviews.
3) S3 Access Points provide simplified controls for shared buckets, and WAF Managed Rules help protect applications from common threats through automatically updated rules.
Build HIPAA Eligible Solutions with AWS and APN Partners PPTAmazon Web Services
In this webinar, you’ll learn how AWS HIPAA Eligible Services can help you build secure workloads to handle PHI in compliance with HIPAA and HITRUST standards. AWS Healthcare experts will be joined in this webinar by AWS Partner Network (APN) Partners ClearDATA and Cloudticity.
The 1%: Identity and Governance Patterns from the Most Advanced AWS Customers...Amazon Web Services
by Quint Van Deman, Sr. Business Development Manager, AWS
Across the AWS customer base there's a wide spectrum of experience levels. In this session, we'll dive deep into a number of advanced patterns that some of our most advanced customers are using to make themselves successful. By equipping you with these deep learnings, you'll be able to raise the bar within your organization, allowing you to achieve greater levels of control, speed, and visibility at a greatly accelerated pace. Level 400
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
This document discusses how AWS Control Tower can be used to govern multi-account AWS environments at scale. It provides an overview of AWS Control Tower's key capabilities including automated setup of a landing zone with best practice blueprints and guardrails, account factory for provisioning accounts, centralized identity and access management, and built-in monitoring and notifications. Examples are also given of how AWS Control Tower can be used to implement common multi-account architectures and operational models.
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. Security for AWS is about three related elements: visibility, auditability and control. You have to know what you have and where it is before you can assess the environment against best practices and internal or compliance standards. Controls enable you to place precise, well-understood limits on the access to your information. Did you know, for example, that you can define a rule that says: "Tom is the only person who can access this data object that I store with Amazon, and he can only do so from his corporate desktop on the corporate network, from Monday-Friday 9-5 and when he uses MFA?" That's the level of granularity you can choose to implement if you wish.
Moving the needle on cloud security - AWS Summit AtlantaChris Farris
Slides from my Dev Chat at the Atlanta AWS Summit.
or How 4th Grade Math, Spreadsheets and a lot of Lambda improved my employer's cloud security posture.
Check Point Software Technologies: Secure Your AWS WorkloadsAmazon Web Services
Hosting workloads on AWS provides organizations with agility, speed, efficiency, and reduced costs. Check Point vSEC further enhances this experience by delivering advanced, multi-layered threat prevention security for your AWS workloads, protecting assets and enabling secure connectivity from enterprise networks to your AWS resources. Register for our upcoming webinar to learn how Check Point vSEC on AWS provided customers with an advanced threat prevention solution to enable secure application delivery. Learn how to migrate your applications and workloads to AWS with vSEC’s comprehensive security solution tailored to help protect your cloud environment.
Join us to learn:
• How Check Point vSEC enabled customers to confidently migrate from an on-premises infrastructure to AWS
• How to prevent network attacks and data breaches when hosting workloads in a cloud-based environment
• How Courtagen Life Sciences secured their cloud environment to maintain compliance, reduce IT expenses and leverage the full capabilities of the AWS Cloud
Who should attend:
IT Admins, Security Admins, Cloud Admins, Business Decision Makers, Compliance & governance officers, Line of Business leaders, DevOps engineers & architects
We are all, now more than ever, spending more time online in our day-to-day lives. More and more startups are using the power of cloud to set up their next disruptive product. The concept of managing information on the cloud and protecting it, thankfully, is not something new and every cloud vendor has an abundance of security tooling available for us to leverage when setting up our next big cloud project. So with that in mind the following presentation aims to provide you with a general overview of AWS Security Tooling and the roles that each of the tools play in the Security & Compliance lifecycle. We will also deep dive a bit into two tools, namely Guard duty and Security Hub.
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
This document provides an overview of techniques for wrangling security events in the AWS cloud. It discusses how to leverage AWS services like CloudTrail, CloudWatch, and Config to detect, investigate, and respond to potential security incidents. Specific example events covered include CloudTrail logging being disabled, MFA removal, S3 object deletions, anomalous logins, open security groups, and use of unapproved AMIs. For each, it outlines approaches for detection, recovery, investigation, and protecting against future occurrences. The document emphasizes the ability of AWS' programmatic interfaces to automate security monitoring and incident response.
AWS July Webinar Series - Troubleshooting Operational and Security Issues in ...Amazon Web Services
AWS CloudTrail is an essential tool for troubleshooting operational issues and investigating security incidents. CloudTrail provides detailed information about the API activity in your AWS account, including who made an API call, from where, and which resources they acted on.
This webinar will help you understand the features of CloudTrail and how to use them to gain maximum visibility into your AWS resources.
Learning Objectives:
Learn how to receive email notifications for specific API activity
Learn how to troubleshoot operational and security incidents in your AWS account
Learn how to turn on CloudTrail and receive a history of log files to an S3 bucket you specify
Put detective controls in place to have visibility into your deployments. In this session, you will learn about deployment visibility at the AWS platform, application, operating system, and network levels, aas well as how to build monitoring solutions at scale to leverage AWS services that turn logging data into security insight.
Speaker: Jesse Fuchs - Sr. Solutions Architect, AWS
AWS Security Week: CAF Detective Controls - Gain Visibility & Record ChangeAmazon Web Services
AWS Security Week at the San Francisco Loft: CAF Detective Controls - Gain Visibility & Record Change
Presenter: Reef D’Souza - Security Consultant, AWS Professional Services
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
This document discusses using Amazon GuardDuty and Amazon SageMaker to perform scalable, automated anomaly detection. It describes how GuardDuty monitors AWS environments for threats by processing CloudTrail, VPC Flow, and DNS logs. SageMaker is used to build and deploy machine learning models at scale, including an IP Insights model to detect anomalous IP usage. The workshop workflow involves using SageMaker's IP Insights model to score GuardDuty findings and create an aggregated list of suspicious activity.
Training for AWS Solutions Architect at http://zekelabs.com/courses/amazon-web-services-training-bangalore/.This slide describes about cloud trail key concepts, workflow and event history
___________________________________________________
zekeLabs is a Technology training platform. We provide instructor led corporate training and classroom training on Industry relevant Cutting Edge Technologies like Big Data, Machine Learning, Natural Language Processing, Artificial Intelligence, Data Science, Amazon Web Services, DevOps, Cloud Computing and Frameworks like Django,Spring, Ruby on Rails, Angular 2 and many more to Professionals.
Reach out to us at www.zekelabs.com or call us at +91 8095465880 or drop a mail at info@zekelabs.com
AWS provides several security capabilities and services to increase privacy and control infrastructure access. Built-in firewalls allow you to create private networks within AWS, and also control network access to your instances and subnets. Identity and access management capabilities enable you to define individual user accounts with permissions across AWS resources. AWS also provides tools and features that enable you to see exactly what’s happening in your AWS environment. In this session, you will gain an understanding of preventive and detective controls at the infrastructure level on AWS. We will cover Identity and Access Management as well as the security aspects of Amazon EC2, Virtual Private Cloud (VPC), Elastic Load Balancing (ELB), and CloudTrail.
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
This document discusses automating compliance and governance on AWS. It begins with defining compliance and governance, then discusses the need for automation in cloud environments where resources are dynamic. It outlines a three phase approach: 1) control using IAM and service catalog, 2) monitor using AWS Config and CloudTrail, and 3) respond using Config rules and CloudWatch events with Lambda. Key services like IAM, Config, and CloudTrail are described. It emphasizes using AWS services to protect AWS resources and provides a demo.
The document discusses various AWS services for monitoring, logging, and security. It provides examples of AWS CloudTrail logs and best practices for CloudTrail such as enabling in all regions, log file validation, encryption, and integration with CloudWatch Logs. It also summarizes VPC flow logs, CloudWatch metrics and logs, and tools for automating compliance like Config rules, CloudWatch events, and Inspector.
When it comes to managing the security of your AWS environment, traditional, on-premise, perimeter-only tactics must evolve to be environment-aware, data-centric, and automated wherever possible.
Speed of detection and agility in recovery are your new challenges and AWS Config, Cloudwatch, and Lambda are your new allies that help address them.
Learn about high-speed security incident response and recovery at the push of a button perhaps. This talk provides an overview with detailed examples of configuration management, event notification, and automatic execution to rapidly detect and react to potential security concerns within your AWS environment.
Speaker: Don Bailey, Principal Security Engineer, Amazon Web Services & Joshua Du Lac, Senior Security Consultant, Amazon Web Services
Manage Security & Compliance of Your AWS Account using CloudTrailCloudlytics
CloudTrail is an AWS service that records API calls made in an AWS account and delivers log files to enable security monitoring and compliance. It provides visibility into who accessed AWS resources, when they accessed them, and from where. Cloudlytics is a service that allows users to analyze CloudTrail logs to generate security and compliance reports. The document discusses enabling CloudTrail, configuring Cloudlytics to access CloudTrail logs, and using Cloudlytics to analyze the logs and generate various audit reports.
AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...Amazon Web Services
Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.
As the number of developers and size of your infrastructure on AWS grows, timely investments in self-service and monitoring can help you scale operations without being the bottleneck. You can standardize infrastructure configurations for commonly used products to enable your customers to self-serve infrastructure needs for their apps. Once these resources are provisioned, you can easily understand how they are connected to administer them effectively, and monitor changes to configurations and evaluate drift. In this session, we will discuss how you can achieve a sophisticated level of standardization, configuration compliance, and monitoring using a combination of AWS Service Catalog, AWS Config, and AWS CloudTrail.
- AWS CloudTrail is an AWS service that records API calls and other events made in an AWS account and delivers log files to an S3 bucket for monitoring and auditing purposes.
- A CloudTrail trail configures delivery of event logs to an S3 bucket and can filter the events captured. Trails can apply to a single region or all regions in an AWS account.
- CloudTrail captures management and data events across AWS services and writes them to log files stored in an S3 bucket according to the trail configuration.
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
As your cloud operations evolve, complexity of governance, compliance, and risk auditing of your AWS account increases. With AWS Config you can automate your controls and compliance efforts so that they scale with your cloud footprint. You can proactively audit your AWS resources, assess changes in configurations, and leverage visual dashboard to check your overall compliance status. In this session, we will help you use AWS Config and other AWS Management Tools to automate configuration governance so that compliance is embedded in the development process.
Security & Governance on AWS – Better, Faster, and Cost Effective - Technical...Amazon Web Services
AWS and the Cloud has ushered in a new era for Information Security & Risk Professionals. In this session, we will talk through how the world's leading corporates are reinventing their internal GRC practices to enable their business to leverage the business value of AWS while improving the security posture of their organisation. We will talk about the journey undertaken by globally regulated entities such as Capital One who now believe they can operate more securely in the public cloud than they can in their own data centres. Finally, we will provide lessons and best practices on how you can use AWS to improve the security posture of your organisation.
Speaker: Rodney Haywood, Manager Solutions Architecture, Amazon Web Services
Featured Customer - Xero
Secure your AWS Account and your Organization's Accounts Amazon Web Services
The cloud enables users to run workloads more securely than they could in a traditional data center. However, customers are still not sure how to harden their AWS accounts and resources in order to enforce compliance. Consistency around governance can also be a concern when large customers have multiple accounts. In this session, we show you how to use automation, tools, and techniques to harden and audit your AWS account as well as how to leverage AWS Organizations to ensure compliance in your enterprise.
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
The document discusses Amazon Web Services (AWS) security services including AWS CloudTrail, VPC Flow Logs, Amazon CloudWatch, Amazon GuardDuty, AWS Security Hub, and Amazon Detective. It provides overviews and descriptions of the features and capabilities of these services for monitoring, detecting threats, aggregating findings, and investigating security issues on AWS.
Similar to AWS ReInvent 2020: SEC313 - A security operator’s guide to practical AWS CloudTrail analysis (20)
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
5. CloudTrail provides audit logs for AWS
An audit log of an AWS account’s
authenticated request to perform an action
with an AWS service and its resources
6. • View, search, download, archive, analyze, and respond to account
activity across your AWS services
• Gain detailed visibility into user, service, and resource activity
• Troubleshoot security and operational issues by tracking changes in
your accounts
• Build detective security controls and automate their response around
important CloudTrail event activity
How CloudTrail can help Security Operations
7. • CloudTrail captures actions made directly by the user or on behalf of
the user by an AWS service
• CloudTrail events are available to the AWS account within 15 minutes:
• CloudTrail event history in AWS Management Console for 90 calendar days
• CloudTrail trails as log data (if enabled and configured by customer)
• Amazon EventBridge as events that can be filtered as a trigger for further action
(if configured by customer)
• Ingested independently by AWS security services if enabled
(for example: Amazon GuardDuty, Amazon Detective)
How CloudTrail works for SecOps
8. CloudTrail event history
• Enabled on creation of an AWS account
• Events are available for up to 90 days per
Region, per account
• Available for limited search via the AWS
Management Console or AWS CLI
• Can only search one Region at a time
• Events can be viewed or downloaded as
CSV summary or JSON objects
CloudTrail trail
• Must be enabled by the customer in their
AWS account
• Extends past 90 days after trail creation
defaulted to multi-Region per account
• Search events via Amazon CloudWatch
Logs insights, read from Amazon S3 into
Amazon Athena for all fields, or load into
third-party software
• Can be aggregated to search one-to-
many AWS accounts and their Regions in
Amazon S3 and third-party software
CloudTrail event history and trails
W H A T I S T H E D I F F E R E N C E ?
9. CloudTrail
event history
Amazon S3 CloudWatch
Logs
Athena CloudWatch
insights
Always available to
view and download
the last 90 days of
events per Region
within AWS account
Saves a CloudTrail
trail event as a
series of
compressed logs
in Amazon S3
Saves each
CloudTrail event as
a log event into a
CloudWatch Logs
Query and analyze
your CloudTrail
logs from your
Amazon S3 bucket
as SQL statements
Search and analyze
your CloudTrail
events from their
CloudWatch Logs
group
CloudTrail event search and analytics in AWS
CloudTrail trail outputs CloudTrail events search
20+ partner integrations for operational and security solutions
11. Who What When How Result
accountId
eventSource
eventName
requestParameters
eventTime
awsRegion
eventType
userIdentity.type
userIdentity.accessKeyId
userIdentity.invokedBy
eventID
errorCode
responseElements
sharedEventID
Critical CloudTrail event fields
userIdentity.arn
sourceIPAddress
userAgent
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html
12. • Management events – enabled by default
• Records of control plane operations that are performed on or within resources
• Data events – not enabled by default
• Records of data plane operations that are performed on or within a
supported AWS resource
• Available for Amazon S3 objects events and Lambda execution at
an additional cost
• Insights events – not enabled by default
• Records unusual call volume of write management APIs in your AWS account
up to 90 days
CloudTrail event types
13. • Type of AWS Identity and Access Management (IAM) identity that made
the request (userIdentity.type, userIdentity.accessKeyId)
• Who used the credentials:
• Principal who made the request (userIdentity.arn, userIdentity.principalId)
• Friendly name for the identity (userIdentity.username)
• AWS account made from (userIdentity.accountId)
• If temporary credentials were used:
• How the credentials were obtained
(userIdentity.sessionContext object AND userIdentity.sessionIssuer)
• If IAM identity was invoked by an AWS service (userIdentity.invokedBy)
CloudTrail deep dive: userIdentity
K N O W I N G “ U S E R I D E N T I T Y ”
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html
14. "userIdentity": {
"type": "IAMUser",
"principalId": "AIDAJ45Q7YFFAREXAMPLE",
"arn":
"arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Alice"
}
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDAIT6PBPQYAB2QOUEGW",
"arn":
"arn:aws:iam::123456789012:user/Alice",
"accountId": "123456789012",
"accessKeyId": "ASIASJ5PL7KYQZCMJFXQ",
"userName": ”Alice",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2019-01-
24T08:44:35Z"
}
}
}
CloudTrail deep dive: IAM user examples
IAM user – Access Key IAM user – STS (console login)
15. "userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {…}
}
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAI3Z7EONDPA7LZ4RGM:i-0123456789abc0",
"arn": "arn:aws:sts::123456789012:assumed-role/EC2InstanceRoleName/i-0123456789abc0",
"accountId": "123456789012"
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {…}
}
CloudTrail deep dive: IAM role examples
IAM role – STS
IAM role – EC2
16. Source account (S)
• Unique account requestID and eventID
• Same sharedEventID for both accounts
• userIdentity.account of source account
• recipientAccountId of source account
Destination account (D)
• Unique account requestID and eventID
• Same sharedEventID for both accounts
• userIdentity.account of source account
• recipientAccountId of destination account
Advanced: Identifying cross-account access
18. • DevOps team has identified unusual Amazon EC2s being seen in
Region us-west-1 when the team operates in Region us-east-1
• Amazon GuardDuty detected the same EC2s in us-west-1 querying an
IP address that is associated with cryptocurrency-related activity
• AWS Abuse has issued a notice that one of your IAM access keys has
been compromised prior to the EC2s being seen by your DevOps team
Our scenario
19. Geo IP attribution Amazon GuardDuty AWS Config Recorder
Know your AWS account
access sourceIpAddress to
their ISPs and geographic
IP network usage
Context for detecting known
threats with threat intelligence
and unknown threats with
anomaly detection
Work backward from
resource configuration states
to build your
timeline analysis
Key enrichment sources for CloudTrail events
20. • Set your desired outcomes
• Identify who and what executed EC2 launches outside of Region us-east-1
• Explore why AWS Abuse provided a notice against an IAM access key
• Set a hypothesis to prove/disprove
• Work backward from the known events if interrelated
• Investigate eventName:RunInstances for the unknown EC2 launches
• Evaluate events using the userIdentity.accessKeyId provided by AWS Abuse notice
SecOps “hunting” with CloudTrail
E S T A B L I S H Y O U R H U N T
21. • Review eventName from their eventSource
• Identify key userIdentity.arn of interest to profile their behavior
• Evaluate each userIdentity.arn of interest for both readonly types
• Evaluate (sourceIPAddress + userAgent) changes over time to identity
• Look for changes in behavior of AWS service usage across Regions for each userIdentity.arn
• Look at the eventTime to produce a timeline of events for each userIdentity.arn
SecOps “hunting” with CloudTrail
B E H A V I O R P R O F I L E Y O U R A W S A C C O U N T U S A G E T O U S E R I D E N T I T Y . A R N
22. • Establish key summary fields needed for your search across
AWS service events
.eventTime, .eventID, .userIdentity.arn, .userIdentity.accessKeyId, .readOnly, .eventType,
.eventSource, .eventName, .sourceIPAddress, .userAgent, .sharedEventId, .errorCode,
.errorMessage
• Review for GuardDuty findings by detectors in Region
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html
• Once finding an event “of interest,” begin to pivot and add fields:
– requestParameters to evaluate what was sent in the request to the AWS service
– responseElements to review the result of how the AWS service responded to the event
SecOps “hunting” with CloudTrail
D E E P D I V E O N A N O M A L I E S
23. • Evaluate for all Regions for readonly:false for 1 week
• Capture the userIdentity.arn for eventName:RunInstances starting
November 1 for 1 week for all Regions
• Pivot search to userIdentity.arn for their prior activity to eventName
• Evaluate sourceIpAddress and userIdentity used for their actions
• Evaluate if other userIdentity.arn related to sourceIpAddress
SecOps “hunting” with CloudTrail
A P P L Y I N G T O S C E N A R I O
25. • SEC301: Security investigations with Amazon Detective
• SEC306: Automated forensic artifact collection on AWS
with Goldman Sachs
• SEC307: Use Amazon GuardDuty and AWS Security Hub to
secure multiple accounts
Other re:Invent 2020 sessions of interest
Hello my name is Brian Andrzejewski, and I am here to help security operators, or SecOps, learn how to perform practical AWS CloudTrail analysis for their AWS accounts.
At AWS, I help navigate customers on the customer's side of the Shared Responsibility Model in how to triage and recovery from their security event on AWS.
This includes both my experiences with customers in how to use CloudTrail during their security events
and my prior experiences as an AWS customer in Security Engineering and Operations protecting Privacy and Healthcare data on AWS.
In this session, we explore AWS CloudTrail as a service and its value for security operations. We will dive deep into sources of data enrichment, and how to leverage CloudTrail as part of your security operations and incident response procedures.
First, we are going to look at Cloudtrail overall in what it is and what it does.
AWS CloudTrail helps you discover and troubleshoot security and operational issues by capturing a comprehensive history of changes that occurred in your AWS account within a specified period of time.
These AWS service events are authenticated & captured as CloudTrail events, and these events can be accessed by CloudTrail console by region, stored in Amazon S3 buckets, and in Amazon CloudWatch Logs.
This is captured in AWS services as AWS CloudTrail events, which are delivered to the AWS CloudTrail console.
When we look at CloudTrail for Security Operations, or SecOps, we look at CloudTrail as an audit log of request to the AWS service APIs - or the Control Plane.
This allows you, the security operator, to gain visibility into user, service, and resource activity, troubleshoot security and operational issues.More importantly, once learning the format and syntax of a CloudTrail event with AWS services, you can then build detective security controls and work toward automating their response around important CloudTrail event activity your organization considers an unauthorized action.
As an audit log, CloudTrail captures all authenticated user or AWS service actions made.
This includes Read and Write actions to the AWS API, including Created, List, Describe, Modify, and Delete API actions to an AWS service and its resources.
These become available within 15 minutes to your AWS account in 4 different ways.
It is important to understand the differences between CloudTrail event history - aka CloudTrail console - verse a organization configured CloudTrail trail.
Both are useful for SecOps,
- The CloudTrail event history - aka CloudTrail console - has the advantage of always being available as read-only per region for the last 90 days. It does have limited search fields available and you can only search one region at a time with the CloudTrail API.
- A CloudTrail trail, when configured in the AWS account, can extend past these 90 days, be multi region, and aggregated into the same S3 bucket for archival. Native AWS services like Amazon CloudWatch Logs, Amazon Athena, or third party software can the be used for search depending your CloudTrail configuration.
When I do a hunt with a customer, I look at CloudTrail events fields in 5 distinct groups of critical fields. Several of these fields as part of CloudTrail event record are required fields for the version of the CloudTrail produced by an AWS Service.