In this lab, we will configure GuardDuty to generate findings and then use Security Hub to remediate those findings: 1. Amazon GuardDuty Detects Findings; AWS Security Hub Remediates those findings. 2. AWS GuardDuty - Provides automated finding generation for EC2 Malicious IP, EC2 Brute Force Attacks and non compliant IAM Password Policy change. 3. AWS Security Hub - Automated Remediations for AWS GuardDuty Findings with AWS Security Hub Custom Actions
Navigate to the EC2 console. Here you will see the two EC2 instances that were provisioned. Notice that only one of these instances has an Elastic IP associated with it. Make a note of the Elastic IP (EIP). We will next configure this as the malicious instance for our GuardDuty findings generation scenario
Create a .txt file and name it as threatlist.txt. Make an entry in this txt file with the EIP of the EC2 instance.
Navigate to the GuardDuty console. From the left panel, under Settings choose Lists. Then on the right hand panel, under Threat lists choose +Add a threat list. Enter a name for List Name and add the S3 URL of the S3 bucket in step 3 here as the Location of your S3 bucket. Choose the Format as Plaintext. Select Add List.
You should now see your list under the Threat lists panel. Choose the checkbox under the Active column. Ensure it is blue.
Navigate to EC2 console and click on the EC2 instance which does not have the Elastic IP associated with it. We will use this EC2 instance as the compromised instance for our scenario to generate GuardDuty findings.
On the Connect to instance page, select EC2 Instance Connect and then Connect:
Once you connect to the instance, type ls and press enter. This will list out files in current folder. You will find a script named gd-portscan.sh
Run the script by typing ./gd-portscan.sh. This will initiate a port scan of the malicious instance.
It may take 15-20 mins to generate the GuardDuty findings and for the findings to be displayed in the Security Hub console
Once the findings are generated in GuardDuty, navigate to the Security Hub console. On the left hand panel, choose Findings. You will find the two new findings that were generated by GuardDuty. Select this finding. From the Actions drop down menu on the top right, select the GDRemeEC2 Security Hub Custom Action. This custom action was provisioned by the aws-guarddutydetect-securityhubremediate.yml template.
Navigate back to the EC2 console. Notice that the compromised EC2 instance has been stopped:
Navigate back to the Security Hub console. On the left panel, choose Findings. You will find “Account password policy was weakened by calling UpdateAccountPasswordPolicy.” finding that was generated by GuardDuty. Select this finding. From the Actions drop down menu on the top right, select GDRemeIAM
Navigate to the IAM console. Goto Account Settings. You will notice that the password policy has been made stronger.