Tuần 6 - Ngày 5: GuardDuty, Inspector, Macie

Mục tiêu học tập

• Phân biệt 3 security detection services
• Hiểu GuardDuty threat detection
• Nắm Inspector vulnerability assessment
• Áp dụng Macie cho PII detection

1. AWS GuardDuty

Định nghĩa

GuardDuty = intelligent threat detection dùng ML phát hiện malicious activity và unauthorized behavior.

Data sources analyzed

• VPC Flow Logs (network traffic)
• CloudTrail event logs (API calls)
• CloudTrail S3 data events (object access)
• DNS logs (Route 53 Resolver queries)
• EKS audit logs
• EKS runtime monitoring
• RDS login events
• Lambda network activity
• S3 protection
• EBS volume scanning (Malware Protection)

Findings categories

• Reconnaissance: port scanning, IAM enumeration
• Instance compromise: bitcoin mining, malware C&C
• Account compromise: stolen credentials usage
• Bucket compromise: S3 unusual access patterns
• Cryptocurrency mining

Severity levels

• High (7.0-8.9): immediate action needed
• Medium (4.0-6.9): investigate
• Low (1.0-3.9): informational

Integration

• EventBridge: trigger Lambda for auto-remediation
• Security Hub: aggregate findings
• Detective: investigate root cause

Pricing

• Per million CloudTrail events analyzed
• Per GB VPC Flow Logs / DNS logs
• Per GB scanned (Malware Protection)
• 30-day free trial

Use case

• Continuous threat monitoring
• Detect compromised credentials
• Detect crypto mining on EC2
• Alert on unusual API calls

Multi-account

• Delegate administrator account (recommended)
• Auto-enable for new member accounts
• Aggregate findings centrally

2. AWS Inspector

Định nghĩa

Inspector = automated vulnerability assessment for AWS workloads.

Targets scanned

• EC2 instances (OS + app vulnerabilities)
• ECR container images
• Lambda functions (code + dependencies)

Vulnerability sources

• CVE database (Common Vulnerabilities and Exposures)
• AWS-curated rules
• Network reachability (EC2 internet exposure)

Findings

• Severity: Critical, High, Medium, Low
• CVSS score (Common Vulnerability Scoring System)
• Suggested remediation
• Affected packages

Inspector v2 (current)

• Replaced Inspector Classic in 2022
• Continuous, automated scanning
• Integration với Systems Manager Agent

Pricing

• Per instance scanned/month (~$1-2)
• Per ECR image scan
• Per Lambda function

Use case

• Compliance scanning (PCI DSS, HIPAA)
• Detect outdated OS, libraries
• Container image vulnerabilities before deploy

Multi-account

• Delegated administrator
• Auto-enroll new accounts

3. AWS Macie

Định nghĩa

Macie = ML-based data security service để discover, classify, protect sensitive data trong S3.

Detects

• PII (Personally Identifiable Information):
  • Names, addresses, phone numbers
  • Email addresses
  • SSN, passport numbers, driver's license
• Credit card numbers
• Healthcare data (HIPAA-related)
• AWS access keys (exposed in S3!)
• Custom data identifiers (regex)

Workflow

1. Enable Macie on account/organization
2. Macie scans S3 buckets (sampling or full)
3. Findings: which buckets contain sensitive data
4. Alert + recommendation

Findings types

• Policy findings:
  • Bucket publicly accessible
  • Bucket not encrypted
  • Bucket replicates externally
• Sensitive Data findings:
  • PII found in object X
  • Credit card in object Y

Pricing

• Bucket evaluation: $0.10 per S3 bucket/month
• Sensitive data discovery: $1 per GB analyzed

Use case

• GDPR compliance (find personal data)
• PCI compliance (find credit cards)
• Audit data storage
• Prevent data leaks

4. So sánh 3 services

When to use what

• GuardDuty: Real-time threat detection (always-on monitoring)
• Inspector: Periodic vulnerability scan (compliance, DevSecOps)
• Macie: Data discovery (compliance, audit)

Best practice: enable all 3 + Security Hub to aggregate.

5. AWS Security Hub

Định nghĩa

Security Hub = central dashboard cho security findings từ AWS services + 3rd party.

Aggregates findings từ

• GuardDuty
• Inspector
• Macie
• IAM Access Analyzer
• AWS Config
• AWS Firewall Manager
• 3rd party (Tenable, Qualys, Splunk)

Features

• Compliance standards:
  • AWS Foundational Security Best Practices
  • CIS AWS Benchmark
  • PCI DSS
  • NIST CSF
• Security score (0-100%)
• Multi-account aggregation (qua Organizations)
• Automated response via EventBridge

Pricing

• Per finding ingested + per check
• Free tier: 30 days

Use case

• Single pane of glass cho security
• Continuous compliance monitoring
• Centralized response workflow

6. AWS Detective

Định nghĩa

Detective = investigate root cause của security findings (GuardDuty, etc.).

Đặc điểm

• Auto-collects logs (VPC Flow Logs, CloudTrail, GuardDuty findings)
• Builds interactive graph of resources, IPs, actions
• "What happened?" investigation tool
• Goes beyond just alerting → understanding

Use case

• Investigate GuardDuty finding
• Forensic analysis after incident
• Understand attacker movement

Pricing

• Per GB ingested (~$2-3/GB)

7. AWS Audit Manager

Định nghĩa

Audit Manager = automate audit evidence collection cho compliance.

Frameworks

• PCI DSS, HIPAA, SOC 2, GDPR, NIST
• Custom frameworks

Workflow

1. Select framework (e.g., PCI DSS)
2. Audit Manager identifies controls
3. Continuous evidence collection from CloudTrail, Config, etc.
4. Generate audit-ready reports

Use case

• Annual SOC 2 audit (save manual effort)
• Continuous compliance posture

8. AWS Config

Định nghĩa

Config = track resource configuration changes over time.

Đặc điểm

• Configuration snapshots of resources
• History (timeline of changes)
• Compliance rules: check if resource configured correctly
• Integration với Security Hub, Audit Manager

Use case

• "What changed and when?"
• Compliance check (e.g., "all S3 buckets must be encrypted")
• Drift detection

Pricing

• $0.003 per configuration item recorded
• $0.001 per evaluation

9. AWS Security Suite (Big picture)

10. Multi-account Security Strategy

Best practice setup

1. Dedicated Security Account (AWS Organizations)
2. Enable across organization:
   • GuardDuty (delegated admin)
   • Inspector (delegated admin)
   • Macie (delegated admin)
   • Security Hub (delegated admin)
   • Config (organization-wide)
3. Aggregate findings in Security Account
4. Automated remediation via EventBridge + Lambda
5. Quarterly reviews + Audit Manager reports

11. Common Patterns

Pattern 1: New AWS account baseline

1. Enable GuardDuty (free trial 30 days)
2. Enable Security Hub
3. Enable Access Analyzer
4. Enable IAM Identity Center (replace IAM users)

Pattern 2: Detect compromised credentials

• GuardDuty finding: UnauthorizedAccess:IAMUser/...
• EventBridge rule → Lambda → auto-revoke credentials

Pattern 3: S3 data privacy

• Macie scans S3 buckets weekly
• Alert if PII found in non-classified bucket
• Auto-tag bucket as "sensitive"

Pattern 4: Container vulnerability scanning

• Inspector v2 scans ECR images on push
• Block deploy if Critical findings (CI/CD gate)

Câu hỏi ôn tập

1. GuardDuty phân tích data sources nào?

   Xem đáp án

   GuardDuty phân tích: VPC Flow Logs, DNS Logs, CloudTrail Events, CloudTrail S3 Data Events (tùy chọn), EKS audit logs, Lambda network activity, RDS login activity. Dùng ML để detect anomalies: unusual API calls, compromised credentials, cryptocurrency mining, port scanning, known malicious IPs. Không cần enable mọi data source trong account — GuardDuty tự pull từ AWS.

2. Inspector scan được loại resources nào?

   Xem đáp án

   Amazon Inspector scan: EC2 instances (OS vulnerabilities, network exposure), ECR container images (layer vulnerabilities), Lambda functions (package vulnerabilities, code analysis). Automated continuous scanning — không cần manual schedule. Generate findings với severity, CVE details, và remediation recommendations. Khác từ classic Inspector 2016 — thế hệ mới (Inspector v2) tích hợp với AWS Organizations.

3. Macie chuyên detect gì trong S3?

   Xem đáp án

   Amazon Macie chuyên detect sensitive data trong S3 buckets dùng ML: PII (Personally Identifiable Information), financial data (credit cards, bank accounts), credentials, medical records. Cũng phát hiện misconfigured buckets (public access, unencrypted). Macie tạo findings khi phát hiện sensitive data exposure. Phù hợp cho GDPR, HIPAA, PCI DSS compliance — audit S3 bucket contents automatically.

4. Security Hub khác Detective ở điểm gì?

   Xem đáp án

   Security Hub: aggregates findings từ nhiều services (GuardDuty, Inspector, Macie, IAM Access Analyzer, Config...) và third-party tools vào một dashboard. Chuẩn hóa theo ASFF format, automation via EventBridge. Amazon Detective: investigation tool — khi có finding/incident, dùng Detective để visualize, phân tích root cause, xem timeline của activity. Detective giúp "điều tra" sau khi phát hiện; Security Hub giúp "tổng hợp và prioritize".

5. Khi nào cần Shield Advanced thay vì Shield Standard?

   Xem đáp án

   Cần Shield Advanced khi: (1) Applications business-critical với high revenue risk nếu downtime (e-commerce, financial), (2) Cần 24/7 DRT support để respond và mitigate complex DDoS, (3) Cần cost protection — reimbursement AWS scaling costs khi bị DDoS (EC2, NAT GW, data transfer), (4) Cần Layer 7 auto-mitigation cho sophisticated HTTP-based attacks. $3,000/month per org — justified cho enterprises.

Bài tập thực hành

• Enable GuardDuty (30 day free trial), wait 24h xem findings
• Enable Inspector v2 cho EC2 instances
• Enable Macie, scan 1 S3 bucket có sample PII
• Enable Security Hub, observe aggregated findings
• Setup EventBridge rule: GuardDuty High severity → SNS email

Tài liệu tham khảo chính thức

• GuardDuty
• Inspector
• Macie
• Security Hub
• Detective

---

Tiếp theo: Amazon Cognito