AWS security services notification during attack

Question

What AWS security services will notify me when there is an adversary in my website and its related database (RDS mySQL) hosted on AWS? It is a notification needed for when an adversary in on my environment, and not for investigation after the adversary has performed malicious actions on the environment.

I'm looking into AWS Detective and Security Hub, but I didn't find if they integrate with SNS. Pls help out.

Accepted Answer

I think you need to define and build an IDS system in this case. You can’t just rely on AWS services for this type of stuff.

You may need to implement something like VPC mirroring with a 3rd party system and have your website logs sent to a SIEM for analysis.

Answer

AWS Config can send an alert via SNS when a change is made to the AWS configuration that breaches a compliance rule https://docs.aws.amazon.com/config/latest/developerguide/notifications-for-AWS-Config.html

Answer

Hello.

I believe GuardDuty can be used to detect unauthorized logins to RDS.  
https://docs.aws.amazon.com/guardduty/latest/ug/rds-protection.html  
https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html

GuardDuty can also link events to Amazon EventBridge.  
So it is possible to have linked events notified via SNS to e-mail or other means.  
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

AWS security services notification during attack

Relevant content