In this module you will be configuring all the initial detective and remediation controls for your environment. You'll be running the first of two CloudFormation templates which will automate the creation of some of these controls and then you will manaually configure the rest.
- Run the 1st CloudFormation template – 5 min
- Configure the remaining controls – 15 min
When you launch the first CloudFormation template you'll be prompted with questions regarding whether certain resources are already configured. Please verify whether you aleady have the following configured in your account:
-
Go to AWS IAM and see if you have the following Roles created:
If you do not see the Macie Roles; you'll answer No when prompted if the Macie Roles exist when launching the CloudFormation template.
If you do not see the Inspector Role; you'll answer No when prompted if the Inspector Role exists when launching the CloudFormation template.
-
Go to AWS Config (in the us-west-2 - Oregon region) and see if it is already enabled.
If you see a Get Started button; you'll answer No when prompted if Config is enabled when launching the CloudFormation template.
To initiate the scenario and configure your environment you will need to run the module 1 CloudFormation template:
| Region | Deploy |
|---|---|
| US West 2 (Oregon) |  |
-
Click the Deploy to AWS button above. This will automatically take you to the console to run the template. The file for the CloudFormation template (01-environment-setup.yml) is also available in the templates folder if you'd like to download it and manually upload it to create a stack.
-
On the Specify Details section enter the necessary parameters as shown below. Please use the answers you discovered during the Review Current Configurations.
-
Once you have entered your parameters click Next, then Next again (leave everything on this page at the default).
-
Finally, acknowledge the template will create IAM roles and click Create
This will bring you back to the CloudFormation console. You can refresh the page to see the stack starting to create. Before moving on, make sure the stack is in a CREATE_COMPLETE status as shown below.
- You will get an email from SNS asking you to confirm the Subscription. Confirm this so you can receive email alerts from AWS services during the Workshop.
The CloudFormation template you just ran created three CloudWatch Event Rules for alerting and remediation purposes. The steps below will walk you through creating the final rule. After which you'll have all the necessary rules in place to receive email notifications and trigger the appropiate AWS Lambda functions for remediations.
Below are steps to create this rule through the console but you can also find out more about doing it programmatically by reviewing the GuardDuty Documentation for example.
-
Open the CloudWatch console
-
In the navigation pane on the left, under Events, choose Rules
What are the current Rules in place setup to do?
-
Choose Create Rule
-
In the dialog box, add the following is correct:
- Under Event Pattern select Custom Event Pattern in the drop down.
- Paste in the custom event pattern below:
{ "source": [ "aws.guardduty" ], "detail": { "type": [ "UnauthorizedAccess:EC2/MaliciousIPCaller.Custom " ] } }- For Targets, click Add Target, select Lambda Function, and then select threat-detection-wksp-remediation-nacl.
- Click Configure Details
-
On the Configure Details screen please use insert the following information
- Name: threat-detection-wksp-guardduty-finding-ec2-maliciousip
- Description: GuardDuty Finding: UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
- Click Create.
-
Now let’s examine the Lambda function to see what it does. Open the Lambda console
-
Click on the function named threat-detection-wksp-remediation-nacl
What will the function do when invoked?
What will the other functions do?
The next step is to enable Amazon GuardDuty, which will continuously monitor your environment for malicious or unauthorized behavior.
-
Go to the Amazon GuardDuty console.
-
Click the Get Started button.
-
On the next screen click the Enable GuardDuty button.
GuardDuty is now enabled and continuously monitoring your CloudTrail logs, VPC flow logs, and DNS Query logs for threats in your environment.
Since you plan on storing sensitive data in S3, let’s quickly enable Amazon Macie. Macie is a security service that will continuously monitor data access activity for anomalies and generate alerts when it detects risk of unauthorized access or inadvertent data leaks.
-
Go to the Amazon Macie console.
-
Click Get Started.
-
Check the box under Permissions.
The CloudFormation template you ran eariler created the IAM roles and AWS CloudTrail needed for Macie, which is why you already see the checkmarks next to those items.
-
Click Enable Macie.
Macie is also used for automatically discovering and classifying sensitive data. Now that Macie is enabled, setup an integration to classify data in your S3 bucket.
-
In the Amazon Macie console click on Integrations on the left navigation.
-
Click on Services near the top.
-
Select your account (should be the only one) and click Add (or Details if you already have buckets configured) for Amazon S3.
-
Click on the paper and pencil on the far right and select the S3 bucket that ends with “-data”
- Make sure you click both the checkboxes on the left and the right ends of the rows. This ensures both new and existing files get classified.
- Make sure you click both the checkboxes on the left and the right ends of the rows. This ensures both new and existing files get classified.
-
Click Review and Save.
-
Click the boxes to acknowledge pricing and terms of service and click Save.
Macie is now enabled and ready to classify your data and send alerts.
Your environment is now configured and ready for operations. Below is a diagram to dipict the detective controls you now have in place.
After you have successfully setup your environment, you can proceed to the next module.