What AWS native service for AWS account anomaly detection and intrusion detection?

Question

Hi,

Do we have any turnkey functionality enabling anomaly-based intrusion detection in AWS accounts? if yes which service offers that?  It's not super-clear to me what capability is present in GuardDuty and Detective (docs say "use rule set and ML [...] and analyze data like VPC flow logs, DNS, Cloudtrail").

Accepted Answer

First I suggest to share this whitepaper with the customer https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

Secondly: https://aws.amazon.com/blogs/security/why-we-reduce-complexity-and-rapidly-iterate-on-amazon-guardduty-twelve-new-detections-added/

AWS Guarduty combined with AWS Cloud Trail is the options available natively for now, or you could use Alert Logic a partner on the marketplace.

Answer

In addition to the suggestions from the answer above, I'd recommend using the 4th session of the Well-Architected Framework - Security Pillar - which gives guidance configuring services (not only GuardDuty and CloudTrail but other services that can be used to detect threats like WAF, Config, etc) , analyze logs, prepare automation and implement actionable security events following best practices to threat detection.

[https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/sec_detect_investigate_events_app_service_logging.html)

I'd suggest also to look at the AWS Security Hub service which can centralize alerts and insights from several AWS and 3rd party services not only regarded to threat detection.

[https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)

What AWS native service for AWS account anomaly detection and intrusion detection?

관련 콘텐츠