AWS Well-Architected Labs > Security > 200 Level Intermediate Labs > Automated Deployment of Detective Controls

Automated Deployment of Detective Controls

Last Updated: June 2021

Author: Ben Potter, Security Lead, Well-Architected

Introduction

This hands-on lab will guide you through how to use AWS CloudFormation to automatically configure detective controls including AWS CloudTrail, AWS Config, Amazon GuardDuty, and AWS Security Hub. You will use the AWS Management Console and AWS CloudFormation to automate the configuration of each service. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework .

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.

AWS Security Hub is a service that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, AWS Systems Manager, and AWS Firewall Manager, as well as from AWS Partner Network (APN) solutions. AWS Security Hub continuously monitors your environment using automated security checks based on the AWS best practices and industry standards that your organization follows.

Prerequisites

An AWS account that you are able to use for testing.
Permissions to create resources in CloudFormation, CloudTrail, GuardDuty, Config, S3, CloudWatch.

Costs

Typically less than $2 per month if the account is only used for personal testing or training, and the tear down is not performed
AWS CloudTrail pricing
Amazon GuardDuty pricing
AWS Config pricing
Amazon S3 pricing
AWS Security Hub pricing
AWS Pricing

Steps:

References & Useful Resources

Automate alerting on key indicators AWS Cloudtrail, AWS Config and Amazon GuardDuty provide insights into your environment.
Implement new security services and features: New features such as Amazon GuardDuty have been adopted.
Automate configuration management: CloudFormation is being used to configure AWS CloudTrail, AWS Config and Amazon GuardDuty.
Implement managed services: Managed services are utilized to increase your visibility and control of your environment.