1 00:00:06,840 --> 00:00:09,560 - Now let's review a few other security services 2 00:00:09,560 --> 00:00:11,520 such as Amazon Macie, 3 00:00:11,520 --> 00:00:12,760 Amazon Guard Duty 4 00:00:12,760 --> 00:00:14,303 and Amazon Inspector. 5 00:00:15,260 --> 00:00:17,040 Now Amazon Macie is a service 6 00:00:17,040 --> 00:00:21,470 that can automatically discover, classify and protect 7 00:00:21,470 --> 00:00:23,317 sensitive data within AWS. 8 00:00:25,104 --> 00:00:27,220 This data could be things such as 9 00:00:27,220 --> 00:00:30,370 personally identifiable information, PII. 10 00:00:30,370 --> 00:00:33,610 Could be protected health information, PHI. 11 00:00:33,610 --> 00:00:35,390 Could be intellectual property or 12 00:00:35,390 --> 00:00:38,780 other types of sensitive information. 13 00:00:38,780 --> 00:00:41,540 And Amazon Macie leverages machine learning 14 00:00:41,540 --> 00:00:45,130 to automatically learn what types of information 15 00:00:45,130 --> 00:00:47,670 are deemed to be sensitive 16 00:00:47,670 --> 00:00:50,190 and learns the type of patterns that 17 00:00:50,190 --> 00:00:51,893 are happening within your account. 18 00:00:53,220 --> 00:00:56,980 Amazon Macie will then proactively inform you 19 00:00:56,980 --> 00:01:00,260 as to where that data is stored 20 00:01:00,260 --> 00:01:02,800 and how that data is being used. 21 00:01:02,800 --> 00:01:04,060 And so 22 00:01:04,060 --> 00:01:04,893 Amazon Macie 23 00:01:06,060 --> 00:01:07,730 is really useful in those cases 24 00:01:07,730 --> 00:01:10,570 where perhaps you do have a larger organization. 25 00:01:10,570 --> 00:01:14,220 You have a lot of people using AWS resources 26 00:01:14,220 --> 00:01:16,710 and maybe you have a number of S3 Buckets 27 00:01:16,710 --> 00:01:18,800 and a lot of data moving around. 28 00:01:18,800 --> 00:01:20,500 And as we've seen over the years, 29 00:01:20,500 --> 00:01:22,110 we've seen plenty of articles 30 00:01:22,110 --> 00:01:25,498 where companies have sort of gotten in trouble 31 00:01:25,498 --> 00:01:29,620 because they made sensitive data publicly available. 32 00:01:29,620 --> 00:01:31,569 Or they made sensitive data, 33 00:01:31,569 --> 00:01:33,500 if not publicly available, 34 00:01:33,500 --> 00:01:35,020 they made it available to people 35 00:01:35,020 --> 00:01:37,200 who should not have had access to it. 36 00:01:37,200 --> 00:01:39,490 And so Amazon Macie is a service 37 00:01:39,490 --> 00:01:41,840 that can help us discover those kinds of things. 38 00:01:41,840 --> 00:01:45,300 Perhaps we inadvertently made a misconfiguration 39 00:01:45,300 --> 00:01:49,410 in our policies that allowed sensitive information 40 00:01:49,410 --> 00:01:51,960 to be accessed by unauthorized parties. 41 00:01:51,960 --> 00:01:56,960 And so again, Amazon Macie is an ideal service to turn on, 42 00:01:57,320 --> 00:02:01,770 to inform us as to whether or not we do have 43 00:02:01,770 --> 00:02:06,370 sensitive information that's being accessed inappropriately. 44 00:02:06,370 --> 00:02:10,660 And so Amazon Macie can again proactively alert us 45 00:02:10,660 --> 00:02:12,660 to suspicious activity 46 00:02:12,660 --> 00:02:15,100 and it's worth noting that, 47 00:02:15,100 --> 00:02:18,010 as of the time of this video recording, 48 00:02:18,010 --> 00:02:21,500 Amazon Macie currently supports Amazon S3. 49 00:02:21,500 --> 00:02:25,085 But according to Amazon's website and documentation, 50 00:02:25,085 --> 00:02:27,810 other data stores are being worked on, 51 00:02:27,810 --> 00:02:30,610 and so I do expect that Amazon Macie 52 00:02:30,610 --> 00:02:32,960 will support other data stores 53 00:02:32,960 --> 00:02:36,357 such as DynamoDB or Redshift or so on 54 00:02:36,357 --> 00:02:37,830 in the future. 55 00:02:37,830 --> 00:02:39,810 But as of the time of this video 56 00:02:39,810 --> 00:02:41,850 we don't have a date on that. 57 00:02:41,850 --> 00:02:45,760 Another thing worth noting about Amazon Macie is that 58 00:02:45,760 --> 00:02:49,840 it does leverage natural language processing. 59 00:02:49,840 --> 00:02:53,150 And it is currently optimized for English. 60 00:02:53,150 --> 00:02:55,490 It does support a number of languages 61 00:02:55,490 --> 00:02:57,360 but it's optimized for English, 62 00:02:57,360 --> 00:02:59,600 and so I also suspect 63 00:02:59,600 --> 00:03:02,670 that other languages will be optimized in the future. 64 00:03:02,670 --> 00:03:04,520 But again, as of the time of this video 65 00:03:04,520 --> 00:03:07,570 it's currently optimized only for English. 66 00:03:07,570 --> 00:03:10,880 Now with Amazon GuardDuty we have a fully managed 67 00:03:10,880 --> 00:03:12,850 threat detection service. 68 00:03:12,850 --> 00:03:16,940 GuardDuty will continuously monitor our environment 69 00:03:16,940 --> 00:03:21,320 for malicious or unauthorized behavior, 70 00:03:21,320 --> 00:03:22,153 such as 71 00:03:24,010 --> 00:03:25,360 attempts to gain access 72 00:03:25,360 --> 00:03:29,143 to the API-using credentials, compromised credentials, 73 00:03:29,143 --> 00:03:33,860 or gaining access to EC2 instances over the network. 74 00:03:33,860 --> 00:03:35,860 And so Amazon GuardDuty 75 00:03:35,860 --> 00:03:38,960 can automatically continuously analyze 76 00:03:38,960 --> 00:03:43,220 billions of events from a number of different sources, 77 00:03:43,220 --> 00:03:44,930 such as CloudTrail. 78 00:03:44,930 --> 00:03:46,810 Remember that CloudTrail is the service 79 00:03:46,810 --> 00:03:48,670 that records API calls. 80 00:03:48,670 --> 00:03:52,290 And so, if GuardDuty is seeing 81 00:03:52,290 --> 00:03:54,760 a number of API calls 82 00:03:54,760 --> 00:03:57,080 that are outside of a normal pattern, 83 00:03:57,080 --> 00:04:01,530 then that might indicate some type of malicious activity. 84 00:04:01,530 --> 00:04:02,814 It might see that 85 00:04:02,814 --> 00:04:06,670 certain credentials are being used 86 00:04:06,670 --> 00:04:10,030 for things that they are not normally used for. 87 00:04:10,030 --> 00:04:11,960 Or that a certain set of credentials 88 00:04:11,960 --> 00:04:14,703 are trying different things. 89 00:04:16,320 --> 00:04:19,180 One attack may be just to try different things 90 00:04:19,180 --> 00:04:21,840 to see what's gonna be found. 91 00:04:21,840 --> 00:04:26,143 So those kinds of patterns can be detected by GuardDuty. 92 00:04:27,990 --> 00:04:32,090 GuardDuty can also analyze VPC flow logs. 93 00:04:32,090 --> 00:04:36,210 VPC flow logs are logs that record metadata 94 00:04:36,210 --> 00:04:39,300 about network traffic flowing through our VPCs. 95 00:04:39,300 --> 00:04:42,660 And so VPC flow logs will contain things like 96 00:04:42,660 --> 00:04:46,060 source and destination IPs and ports. 97 00:04:46,060 --> 00:04:49,580 It will contain whether or not the protocol 98 00:04:49,580 --> 00:04:52,720 whether it's TCP or UDP, things like that. 99 00:04:52,720 --> 00:04:55,998 So GuardDuty can look at VPC flow logs 100 00:04:55,998 --> 00:04:58,457 to try to indentify 101 00:04:58,457 --> 00:05:00,210 some type of malicious 102 00:05:00,210 --> 00:05:03,700 or unauthorized network traffic. 103 00:05:03,700 --> 00:05:06,580 GuardDuty will also look at DNS logs. 104 00:05:06,580 --> 00:05:09,660 And so we can look at DNS logs from route 53 105 00:05:09,660 --> 00:05:12,890 to determine, to see if perhaps someone is trying 106 00:05:12,890 --> 00:05:17,890 to find sub domains that they shouldn't be accessing, 107 00:05:17,970 --> 00:05:20,060 just as one example. 108 00:05:20,060 --> 00:05:23,930 And so Amazon GuardDuty can aggregate 109 00:05:23,930 --> 00:05:27,730 this kind of threat detection across multiple accounts. 110 00:05:27,730 --> 00:05:29,720 We don't necessarily have to turn this on 111 00:05:29,720 --> 00:05:30,580 for every account. 112 00:05:30,580 --> 00:05:32,480 We can turn it on for our organization 113 00:05:32,480 --> 00:05:35,403 and GuardDuty can look at all of our accounts. 114 00:05:36,480 --> 00:05:38,360 Another nice things about GuardDuty is that 115 00:05:38,360 --> 00:05:40,460 there is no software to install. 116 00:05:40,460 --> 00:05:42,690 There's no agent that needs to be put in place. 117 00:05:42,690 --> 00:05:44,830 There's no servers that need to be running. 118 00:05:44,830 --> 00:05:47,843 We simply turn GuardDuty on as a service. 119 00:05:48,770 --> 00:05:52,110 GuardDuty can also trigger AWS Lambda. 120 00:05:52,110 --> 00:05:54,680 So if GuardDuty finds something 121 00:05:54,680 --> 00:05:57,606 and it alerts us as to something going on. 122 00:05:57,606 --> 00:06:01,770 We can also use that alert to trigger Lambda 123 00:06:01,770 --> 00:06:03,245 and we can pass metadata 124 00:06:03,245 --> 00:06:06,490 about that particular incident to Lambda. 125 00:06:06,490 --> 00:06:10,430 And then we can use that to programmatically mitigate 126 00:06:10,430 --> 00:06:12,050 that particular incident. 127 00:06:12,050 --> 00:06:14,450 Perhaps GuardDuty found something in the network 128 00:06:14,450 --> 00:06:17,310 that suggested an EC2 instance is compromised. 129 00:06:17,310 --> 00:06:18,293 And so, 130 00:06:19,940 --> 00:06:20,860 as an example, 131 00:06:20,860 --> 00:06:23,920 we could use that event to trigger Lambda 132 00:06:23,920 --> 00:06:26,660 and Lambda could then perhaps 133 00:06:26,660 --> 00:06:28,850 either remove that EC2 instance 134 00:06:28,850 --> 00:06:31,570 or contain that instance on the network 135 00:06:31,570 --> 00:06:33,510 by removing security groups 136 00:06:33,510 --> 00:06:35,723 so that it is no longer accessible. 137 00:06:37,350 --> 00:06:41,130 Now finally moving on to Amazon Inspector. 138 00:06:41,130 --> 00:06:45,109 We have another automated security assessment service 139 00:06:45,109 --> 00:06:50,109 that automatically scans applications for vulnerabilities. 140 00:06:50,330 --> 00:06:54,800 And so if we have applications that are deployed to AWS, 141 00:06:54,800 --> 00:06:58,480 especially those that are deployed directly to EC2, 142 00:06:58,480 --> 00:07:00,760 then Amazon Inspector 143 00:07:00,760 --> 00:07:04,360 is an agent based, API-driven service. 144 00:07:04,360 --> 00:07:07,210 We do require an agent 145 00:07:07,210 --> 00:07:09,310 running on the EC2 instance, 146 00:07:09,310 --> 00:07:11,850 and that agent can regularly scan 147 00:07:13,330 --> 00:07:15,630 software that's installed on that instance 148 00:07:15,630 --> 00:07:17,100 and compare that software 149 00:07:17,100 --> 00:07:20,220 and compare the configuration of that instance 150 00:07:20,220 --> 00:07:25,220 against databases of known vulnerabilities. 151 00:07:25,270 --> 00:07:28,793 And so, when those assessments occur, 152 00:07:30,090 --> 00:07:34,200 Amazon Inspector can give us a detailed list of findings. 153 00:07:34,200 --> 00:07:35,819 It can show us that perhaps 154 00:07:35,819 --> 00:07:40,250 we are leveraging a library that is known to have 155 00:07:40,250 --> 00:07:42,310 some type of a vulnerability. 156 00:07:42,310 --> 00:07:45,220 And it will also prioritize those. 157 00:07:45,220 --> 00:07:46,420 Some could be critical. 158 00:07:46,420 --> 00:07:48,340 Some could be high or medium. 159 00:07:48,340 --> 00:07:49,180 And so on. 160 00:07:49,180 --> 00:07:51,830 And so we get a dashboard of all of those findings 161 00:07:51,830 --> 00:07:54,830 and from there we can go and mitigate those. 162 00:07:54,830 --> 00:07:57,754 Perhaps that would mean that we need to 163 00:07:57,754 --> 00:07:59,700 simply make a patch 164 00:07:59,700 --> 00:08:02,523 to open SSL or something like that. 165 00:08:03,370 --> 00:08:05,710 And so, because it is automated, 166 00:08:05,710 --> 00:08:06,545 because it is 167 00:08:06,545 --> 00:08:10,170 running right there alongside our applications, 168 00:08:10,170 --> 00:08:12,200 we can essentially build that 169 00:08:12,200 --> 00:08:14,274 into existing DevOps processes. 170 00:08:14,274 --> 00:08:18,510 So perhaps we, not only are we looking to improve 171 00:08:19,520 --> 00:08:22,480 features and performance of our application, 172 00:08:22,480 --> 00:08:24,500 but we're also looking to improve security. 173 00:08:24,500 --> 00:08:29,220 So perhaps we take findings of Amazon Inspector 174 00:08:29,220 --> 00:08:32,800 and we add those requirements to our sprints, 175 00:08:32,800 --> 00:08:35,128 so that the next release of that software 176 00:08:35,128 --> 00:08:37,850 would include patches and updates 177 00:08:37,850 --> 00:08:42,000 to existing or dependent libraries. 178 00:08:42,000 --> 00:08:44,810 And so again, we can use Amazon Inspector 179 00:08:44,810 --> 00:08:47,370 to enforce security standards. 180 00:08:47,370 --> 00:08:48,623 Now keep in mind that 181 00:08:48,623 --> 00:08:50,797 many of these kinds of services 182 00:08:50,797 --> 00:08:52,920 include free trials. 183 00:08:52,920 --> 00:08:55,250 Some of them include, 184 00:08:55,250 --> 00:08:56,280 or require 185 00:08:57,650 --> 00:08:58,580 subscriptions, 186 00:08:58,580 --> 00:09:00,250 others are pay as you go, 187 00:09:00,250 --> 00:09:02,700 according to what's actually being done. 188 00:09:02,700 --> 00:09:05,034 So I will refer you to the Amazon website 189 00:09:05,034 --> 00:09:09,690 to get details about the pricing because that changes. 190 00:09:09,690 --> 00:09:11,290 By the time this video was published 191 00:09:11,290 --> 00:09:13,000 it could be very different. 192 00:09:13,000 --> 00:09:15,690 So as you can see throughout this module 193 00:09:15,690 --> 00:09:18,510 we've talked about a number of 194 00:09:18,510 --> 00:09:20,487 really powerful security features 195 00:09:20,487 --> 00:09:23,800 that can help us keep our Amazon accounts 196 00:09:23,800 --> 00:09:27,143 and applications and infrastructures highly secure.