Security Hub Remediations with GuardDuty detection

Amazon GuardDuty Detection with AWS Security Hub Remediation

In this lab, we will configure GuardDuty to generate findings and then use Security Hub to remediate those findings: 1. Amazon GuardDuty Detects Findings; AWS Security Hub Remediates those findings. 2. AWS GuardDuty - Provides automated finding generation for EC2 Malicious IP, EC2 Brute Force Attacks and non compliant IAM Password Policy change. 3. AWS Security Hub - Automated Remediations for AWS GuardDuty Findings with AWS Security Hub Custom Actions

Prerequisite

  1. Enable GuardDuty from the console
  2. Enable Security Hub from the console

Solution Design

Install

  1. The install is done in 1-step. Launch the aws-guarddutydetect-securityhubremediate.yml template. This template provisions AWS Security Hub Custom actions to remediate GuardDuty findings. The template also provisions a VPC with test EC2 instances that have a built-in scripts to generate our Amazon GuardDuty findings. Once the stack has been successfully provisioned, navigate to the resources section and search for the GDThreatListBucket in the Resources section. Select the Select Physical ID of the S3 bucket. This will take you to the S3 bucket that was created by the CloudFormation stack. This bucket will be used to store threat list of IP address. Make a note of S3 bucket name for later reference.

Configure GuardDuty

  1. Navigate to the EC2 console. Here you will see the two EC2 instances that were provisioned. Notice that only one of these instances has an Elastic IP associated with it. Make a note of the Elastic IP (EIP). We will next configure this as the malicious instance for our GuardDuty findings generation scenario

  2. Create a .txt file and name it as threatlist.txt. Make an entry in this txt file with the EIP of the EC2 instance.

  3. Navigate to the S3 console and upload threatlist.txt to the GDThreatListBucket S3 bucket provisioned in the Install section.

  4. Navigate to the GuardDuty console. From the left panel, under Settings choose Lists. Then on the right hand panel, under Threat lists choose +Add a threat list. Enter a name for List Name and add the S3 URL of the S3 bucket in step 3 here as the Location of your S3 bucket. Choose the Format as Plaintext. Select Add List.

  5. You should now see your list under the Threat lists panel. Choose the checkbox under the Active column. Ensure it is blue.

Generate GuardDuty Findings - EC2

  1. Navigate to EC2 console and click on the EC2 instance which does not have the Elastic IP associated with it. We will use this EC2 instance as the compromised instance for our scenario to generate GuardDuty findings.

  2. On the Connect to instance page, select EC2 Instance Connect and then Connect:

  3. Once you connect to the instance, type ls and press enter. This will list out files in current folder. You will find a script named gd-portscan.sh

  4. Run the script by typing ./gd-portscan.sh. This will initiate a port scan of the malicious instance.

Generate GuardDuty Findings - IAM

  1. Navigate to the IAM console, and select Account Settings from the left panel. Under Password policy, select Change. Reduce the strength of the password policy to only enforce the minimum password length. Select Password policy and select the minimum password length checkbox. Select Save Changes

Automated Remediations with Security Hub Custom Actions

It may take 15-20 mins to generate the GuardDuty findings and for the findings to be displayed in the Security Hub console

  1. Once the findings are generated in GuardDuty, navigate to the Security Hub console. On the left hand panel, choose Findings. You will find the two new findings that were generated by GuardDuty. Select this finding. From the Actions drop down menu on the top right, select the GDRemeEC2 Security Hub Custom Action. This custom action was provisioned by the aws-guarddutydetect-securityhubremediate.yml template.

  2. Navigate back to the EC2 console. Notice that the compromised EC2 instance has been stopped:

  3. Navigate back to the Security Hub console. On the left panel, choose Findings. You will find “Account password policy was weakened by calling UpdateAccountPasswordPolicy.” finding that was generated by GuardDuty. Select this finding. From the Actions drop down menu on the top right, select GDRemeIAM

  4. Navigate to the IAM console. Goto Account Settings. You will notice that the password policy has been made stronger.