You just joined an IT security team in a large financial company.
Your company is a heavy user of AWS and owns a large number of AWS resources including EC2, S3, RDS, etc.
In order to monitor the services from security perspective, your team is required to create a continuous monitoring service in AWS.
For example, the service should be able to identify potential risks if an EC2 instance is compromised and is used to perform a Denial of Service (DoS) attack using UDP protocol.
Which approach should you take?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - A.
According to.
https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html,Option A is CORRECT: Because GuardDuty is able to process log files and provide security alarms.
Below is an example when GuardDuty has found a high risk alarm when an EC2 instance may be used to perform a Denial of Service (DoS) attack using UDP protocol on TCP port:
Option B is incorrect: Because Macie mainly deals with data in S3 bucket.
For example, it can find out PII data in a S3 file.
GuardDuty is more appropriate in this case.
Option C is incorrect: The security feature of Trusted Advisor can be regarded as a supplement however it only provides a limited check and can not scan security issues for the whole system.
Option D is incorrect: Athena can be used to scan S3 buckets using SQL commands.
However this case requires a continuous monitoring tool.
Athena is not applicable for this task.
As an IT security team in a large financial company, you are required to create a continuous monitoring service in AWS to monitor services from a security perspective. The service should be able to identify potential risks, such as if an EC2 instance is compromised and used to perform a Denial of Service (DoS) attack using UDP protocol. Here are the explanations of the four options given:
Option A: Use AWS GuardDuty to continuously monitor AWS services. GuardDuty can detect security issues and generate findings in console or through Amazon CloudWatch events.
AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior in AWS accounts. It uses machine learning and anomaly detection to identify threats and generates findings in the AWS Management Console or through Amazon CloudWatch events. GuardDuty can monitor a wide range of AWS services, including EC2, S3, and RDS, and can detect common attack types such as DoS attacks, port scanning, and DNS exfiltration.
Option B: Enable AWS Macie to continuously scan AWS security risks in resources such as EC2. It can identify potential issues and provide alarms such as if an EC2 instance is compromised.
AWS Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. It can continuously scan AWS resources, including EC2 instances, to identify potential security risks such as data leaks, insider threats, and compromised instances. Macie can also provide alerts and alarms when it detects potential security issues.
Option C: Enable AWS Enterprise support plan and activate full features of Trusted Advisor which can quickly provide alarms for security-related issues.
AWS Trusted Advisor is a service that provides best practices and guidance for optimizing AWS resources and improving security and performance. It can analyze AWS accounts and provide recommendations for cost optimization, security, and fault tolerance. The Enterprise support plan provides access to the full set of Trusted Advisor features, including security-related recommendations. Trusted Advisor can quickly provide alarms for security-related issues, but it may not be as comprehensive as some of the other options.
Option D: Activate VPC Flow Logs, AWS CloudTrail event logs, and DNS logs and transfer the logs to a dedicated S3 bucket. Configure Athena to query the logs to identify potential security problems.
VPC Flow Logs, AWS CloudTrail event logs, and DNS logs can all provide valuable information for monitoring AWS resources from a security perspective. VPC Flow Logs capture information about the traffic going in and out of network interfaces in a VPC, CloudTrail event logs capture API activity in AWS accounts, and DNS logs capture DNS queries and responses. By transferring these logs to a dedicated S3 bucket and configuring Athena to query the logs, you can identify potential security problems, such as suspicious network traffic or unauthorized API activity.
Out of the given options, Option A, using AWS GuardDuty, is the most comprehensive and suitable approach to continuously monitor AWS services from a security perspective. It offers a wide range of threat detection capabilities, including the ability to detect DoS attacks and port scanning, and can generate findings in the AWS Management Console or through Amazon CloudWatch events.