Security Operations and Threat Protection

Article 10 of 12 in the Cloud Landing Zone Series

Introduction

Working on cloud security operations has taught me that threat detection and automated response capabilities are essential for protecting cloud infrastructure.

Analyzing security incidents where threats went undetected revealed common gaps:

Security services like GuardDuty not enabled across all accounts
No centralized view of security findings
Missing alerting on suspicious activities
No security operations team monitoring cloud events
Lack of automated response to known threat patterns

These gaps allow threats to persist undetected, whether from compromised credentials, cryptocurrency mining, data exfiltration, or other attacks.

The difference between detecting threats immediately versus weeks or months later is having proper security operations capabilities built into the landing zone.

This article shares the threat detection and response patterns I've implemented - covering GuardDuty multi-account setup, Security Hub centralization, automated incident response, vulnerability management, and building a comprehensive security operations capability.

AWS Security Services Integration

GuardDuty Multi-Account Setup

# GuardDuty Master Account (Security Account)
resource "aws_guardduty_detector" "master" {
  enable = true
  
  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }
}

# Automatically invite all organization accounts
resource "aws_guardduty_organization_admin_account" "master" {
  admin_account_id = var.security_account_id
}

resource "aws_guardduty_organization_configuration" "main" {
  detector_id = aws_guardduty_detector.master.id
  auto_enable = true
  
  datasources {
    s3_logs {
      auto_enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }
}

# EventBridge rule: Forward GuardDuty findings to Security Hub
resource "aws_cloudwatch_event_rule" "guardduty_findings" {
  name        = "guardduty-findings"
  description = "Capture all GuardDuty findings"
  
  event_pattern = jsonencode({
    source      = ["aws.guardduty"]
    detail-type = ["GuardDuty Finding"]
  })
}

resource "aws_cloudwatch_event_target" "guardduty_to_securityhub" {
  rule      = aws_cloudwatch_event_rule.guardduty_findings.name
  target_id = "SendToSecurityHub"
  arn       = "arn:aws:securityhub:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:hub/default"
}

# High-severity findings trigger immediate response
resource "aws_cloudwatch_event_target" "guardduty_high_severity" {
  rule      = aws_cloudwatch_event_rule.guardduty_findings.name
  target_id = "HighSeverityResponse"
  arn       = aws_lambda_function.incident_response.arn
  
  input_transformer {
    input_paths = {
      severity = "$.detail.severity"
      finding  = "$.detail.type"
      resource = "$.detail.resource"
    }
    
    input_template = jsonencode({
      severity = "<severity>"
      finding  = "<finding>"
      resource = "<resource>"
    })
  }
}

Security Hub Centralization

# Enable Security Hub in master account
resource "aws_securityhub_account" "master" {}

# Aggregate findings from all regions
resource "aws_securityhub_finding_aggregator" "master" {
  linking_mode = "ALL_REGIONS"
}

# Enable compliance standards
resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

resource "aws_securityhub_standards_subscription" "pci_dss" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
}

resource "aws_securityhub_standards_subscription" "aws_foundational" {
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
}

# Custom insight: Critical and High severity findings
resource "aws_securityhub_insight" "critical_high_findings" {
  filters {
    severity_label {
      comparison = "EQUALS"
      value      = "CRITICAL"
    }
  }
  
  filters {
    severity_label {
      comparison = "EQUALS"
      value      = "HIGH"
    }
  }
  
  filters {
    workflow_status {
      comparison = "EQUALS"
      value      = "NEW"
    }
  }
  
  group_by_attribute = "ResourceType"
  
  name = "Critical and High Severity Active Findings"
}

Automated Incident Response

Lambda Function: Automated Response

# lambda/incident_response.py
import boto3
import json
import os
from datetime import datetime

iam = boto3.client('iam')
ec2 = boto3.client('ec2')
sns = boto3.client('sns')
s3 = boto3.client('s3')

def handler(event, context):
    """
    Automated incident response based on GuardDuty findings
    """
    
    finding = event['detail']
    finding_type = finding['type']
    severity = finding['severity']
    resource = finding['resource']
    
    print(f"Processing finding: {finding_type} (Severity: {severity})")
    
    # Route to appropriate response handler
    if 'UnauthorizedAccess:IAMUser' in finding_type:
        handle_compromised_iam_user(finding)
    
    elif 'CryptoCurrency:EC2' in finding_type:
        handle_crypto_mining(finding)
    
    elif 'Recon:IAMUser/MaliciousIPCaller' in finding_type:
        handle_malicious_ip(finding)
    
    elif 'UnauthorizedAccess:EC2' in finding_type:
        handle_compromised_instance(finding)
    
    elif 'Exfiltration:S3' in finding_type:
        handle_data_exfiltration(finding)
    
    # Always create incident ticket and notify SOC
    create_incident_ticket(finding)
    notify_soc(finding)
    
    return {'statusCode': 200}

def handle_compromised_iam_user(finding):
    """Response to compromised IAM credentials"""
    
    user_name = finding['resource']['accessKeyDetails']['userName']
    access_key_id = finding['resource']['accessKeyDetails']['accessKeyId']
    
    print(f"RESPONSE: Compromised IAM user detected: {user_name}")
    
    # 1. Disable access key immediately
    iam.update_access_key(
        UserName=user_name,
        AccessKeyId=access_key_id,
        Status='Inactive'
    )
    print(f"✓ Disabled access key: {access_key_id}")
    
    # 2. Attach explicit deny policy
    deny_policy = {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*"
        }]
    }
    
    iam.put_user_policy(
        UserName=user_name,
        PolicyName='IncidentResponseDenyAll',
        PolicyDocument=json.dumps(deny_policy)
    )
    print(f"✓ Attached deny-all policy to user: {user_name}")
    
    # 3. Force password reset
    try:
        iam.update_login_profile(
            UserName=user_name,
            PasswordResetRequired=True
        )
        print(f"✓ Forced password reset for: {user_name}")
    except:
        pass  # User might not have console access
    
    # 4. Log all actions to forensics bucket
    log_incident_action({
        'timestamp': datetime.utcnow().isoformat(),
        'finding_type': 'CompromisedIAMUser',
        'user_name': user_name,
        'access_key_id': access_key_id,
        'actions_taken': [
            'Disabled access key',
            'Attached deny-all policy',
            'Forced password reset'
        ]
    })

def handle_crypto_mining(finding):
    """Response to cryptocurrency mining activity"""
    
    instance_id = finding['resource']['instanceDetails']['instanceId']
    
    print(f"RESPONSE: Crypto mining detected on instance: {instance_id}")
    
    # 1. Create snapshot for forensics
    volumes = ec2.describe_instances(InstanceIds=[instance_id])
    for reservation in volumes['Reservations']:
        for instance in reservation['Instances']:
            for volume in instance.get('BlockDeviceMappings', []):
                volume_id = volume['Ebs']['VolumeId']
                
                snapshot = ec2.create_snapshot(
                    VolumeId=volume_id,
                    Description=f'Forensic snapshot - crypto mining incident {instance_id}',
                    TagSpecifications=[{
                        'ResourceType': 'snapshot',
                        'Tags': [
                            {'Key': 'IncidentType', 'Value': 'CryptoMining'},
                            {'Key': 'InstanceId', 'Value': instance_id},
                            {'Key': 'Timestamp', 'Value': datetime.utcnow().isoformat()}
                        ]
                    }]
                )
                print(f"✓ Created forensic snapshot: {snapshot['SnapshotId']}")
    
    # 2. Isolate instance (remove from security groups, attach to isolated SG)
    isolated_sg = get_or_create_isolated_security_group()
    
    ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=[isolated_sg]
    )
    print(f"✓ Isolated instance {instance_id} (attached to isolated SG)")
    
    # 3. Stop instance
    ec2.stop_instances(InstanceIds=[instance_id])
    print(f"✓ Stopped instance: {instance_id}")
    
    # 4. Log incident
    log_incident_action({
        'timestamp': datetime.utcnow().isoformat(),
        'finding_type': 'CryptoMining',
        'instance_id': instance_id,
        'actions_taken': [
            'Created forensic snapshots',
            'Isolated instance',
            'Stopped instance'
        ]
    })

def handle_data_exfiltration(finding):
    """Response to potential data exfiltration from S3"""
    
    bucket_name = finding['resource']['s3BucketDetails'][0]['name']
    
    print(f"RESPONSE: Data exfiltration detected from bucket: {bucket_name}")
    
    # 1. Block all public access
    s3.put_public_access_block(
        Bucket=bucket_name,
        PublicAccessBlockConfiguration={
            'BlockPublicAcls': True,
            'IgnorePublicAcls': True,
            'BlockPublicPolicy': True,
            'RestrictPublicBuckets': True
        }
    )
    print(f"✓ Blocked public access to bucket: {bucket_name}")
    
    # 2. Enable MFA Delete
    s3.put_bucket_versioning(
        Bucket=bucket_name,
        VersioningConfiguration={
            'MFADelete': 'Enabled',
            'Status': 'Enabled'
        },
        MFA=os.environ['MFA_DEVICE_SERIAL']  # Requires MFA
    )
    print(f"✓ Enabled MFA Delete for bucket: {bucket_name}")
    
    # 3. Log incident
    log_incident_action({
        'timestamp': datetime.utcnow().isoformat(),
        'finding_type': 'DataExfiltration',
        'bucket_name': bucket_name,
        'actions_taken': [
            'Blocked public access',
            'Enabled MFA Delete',
            'Created incident ticket'
        ]
    })

def get_or_create_isolated_security_group():
    """Get or create security group for isolating compromised instances"""
    
    sg_name = 'incident-response-isolated'
    
    try:
        response = ec2.describe_security_groups(
            Filters=[{'Name': 'group-name', 'Values': [sg_name]}]
        )
        return response['SecurityGroups'][0]['GroupId']
    except:
        # Create isolated SG (no ingress, no egress)
        sg = ec2.create_security_group(
            GroupName=sg_name,
            Description='Isolated security group for compromised instances',
            VpcId=os.environ['DEFAULT_VPC_ID']
        )
        
        # Remove default egress rule
        ec2.revoke_security_group_egress(
            GroupId=sg['GroupId'],
            IpPermissions=[{
                'IpProtocol': '-1',
                'IpRanges': [{'CidrIp': '0.0.0.0/0'}]
            }]
        )
        
        return sg['GroupId']

def create_incident_ticket(finding):
    """Create incident ticket in ticketing system"""
    # Integration with ServiceNow, Jira, etc.
    pass

def notify_soc(finding):
    """Notify SOC team via PagerDuty/Slack"""
    
    severity = finding['severity']
    finding_type = finding['type']
    
    # High/Critical severity: PagerDuty
    if severity >= 7:
        trigger_pagerduty_incident(finding)
    
    # All findings: Slack notification
    send_slack_alert(finding)

def trigger_pagerduty_incident(finding):
    """Trigger PagerDuty incident for high-severity findings"""
    # PagerDuty API integration
    pass

def send_slack_alert(finding):
    """Send Slack alert to #security-alerts channel"""
    # Slack webhook integration
    pass

def log_incident_action(action):
    """Log all incident response actions to forensics bucket"""
    
    s3.put_object(
        Bucket=os.environ['FORENSICS_BUCKET'],
        Key=f"incident-actions/{datetime.utcnow().date()}/{datetime.utcnow().isoformat()}.json",
        Body=json.dumps(action, indent=2),
        ServerSideEncryption='aws:kms',
        SSEKMSKeyId=os.environ['FORENSICS_KMS_KEY']
    )

Azure Security Services

Azure Defender Integration

# Enable Azure Defender for all resource types
resource "azurerm_security_center_subscription_pricing" "vms" {
  tier          = "Standard"
  resource_type = "VirtualMachines"
}

resource "azurerm_security_center_subscription_pricing" "storage" {
  tier          = "Standard"
  resource_type = "StorageAccounts"
}

resource "azurerm_security_center_subscription_pricing" "sql" {
  tier          = "Standard"
  resource_type = "SqlServers"
}

resource "azurerm_security_center_subscription_pricing" "kubernetes" {
  tier          = "Standard"
  resource_type = "KubernetesService"
}

resource "azurerm_security_center_subscription_pricing" "containers" {
  tier          = "Standard"
  resource_type = "ContainerRegistry"
}

resource "azurerm_security_center_subscription_pricing" "keyvault" {
  tier          = "Standard"
  resource_type = "KeyVaults"
}

# Security contacts
resource "azurerm_security_center_contact" "main" {
  email = "[email protected]"
  phone = "+1-555-0100"
  
  alert_notifications = true
  alerts_to_admins    = true
}

# Auto-provisioning of agents
resource "azurerm_security_center_auto_provisioning" "main" {
  auto_provision = "On"
}

Vulnerability Management

AWS Inspector Integration

# Enable Inspector for EC2 and ECR scanning
resource "aws_inspector2_enabler" "main" {
  account_ids    = [data.aws_caller_identity.current.account_id]
  resource_types = ["EC2", "ECR"]
}

# EventBridge rule: Alert on critical vulnerabilities
resource "aws_cloudwatch_event_rule" "inspector_critical" {
  name        = "inspector-critical-vulnerabilities"
  description = "Alert on critical Inspector findings"
  
  event_pattern = jsonencode({
    source      = ["aws.inspector2"]
    detail-type = ["Inspector2 Finding"]
    detail = {
      severity = ["CRITICAL"]
    }
  })
}

resource "aws_cloudwatch_event_target" "inspector_to_sns" {
  rule      = aws_cloudwatch_event_rule.inspector_critical.name
  target_id = "SendToSNS"
  arn       = aws_sns_topic.security_alerts.arn
}

Container Vulnerability Scanning

# ECR: Scan on push
resource "aws_ecr_repository" "app" {
  name                 = "app"
  image_tag_mutability = "IMMUTABLE"
  
  image_scanning_configuration {
    scan_on_push = true
  }
  
  encryption_configuration {
    encryption_type = "KMS"
    kms_key         = aws_kms_key.ecr.arn
  }
}

# Prevent deployment of images with critical vulnerabilities
resource "aws_ecr_lifecycle_policy" "app" {
  repository = aws_ecr_repository.app.name
  
  policy = jsonencode({
    rules = [{
      rulePriority = 1
      description  = "Delete images with critical vulnerabilities after 7 days"
      selection = {
        tagStatus   = "any"
        countType   = "sinceImagePushed"
        countUnit   = "days"
        countNumber = 7
      }
      action = {
        type = "expire"
      }
    }]
  })
}

Threat Intelligence Integration

Feed Security Alerts into SIEM

# lambda/threat_intel_enrichment.py
import boto3
import requests
import json

def handler(event, context):
    """Enrich security findings with threat intelligence"""
    
    finding = event['detail']
    
    # Extract IOCs (Indicators of Compromise)
    iocs = extract_iocs(finding)
    
    # Query threat intel sources
    virustotal_results = check_virustotal(iocs)
    alienvault_results = check_alienvault(iocs)
    
    # Enrich finding with threat intel
    enriched_finding = {
        **finding,
        'threatIntel': {
            'virustotal': virustotal_results,
            'alienvault': alienvault_results,
            'risk_score': calculate_risk_score(virustotal_results, alienvault_results)
        }
    }
    
    # Forward to SIEM
    forward_to_siem(enriched_finding)
    
    return {'statusCode': 200}

def extract_iocs(finding):
    """Extract IP addresses, domains, file hashes from finding"""
    
    iocs = {
        'ips': [],
        'domains': [],
        'file_hashes': []
    }
    
    # Extract from finding details
    if 'remoteIpDetails' in finding.get('resource', {}):
        iocs['ips'].append(finding['resource']['remoteIpDetails']['ipAddressV4'])
    
    return iocs

def check_virustotal(iocs):
    """Query VirusTotal API for IOC reputation"""
    
    api_key = os.environ['VIRUSTOTAL_API_KEY']
    results = {}
    
    for ip in iocs['ips']:
        response = requests.get(
            f'https://www.virustotal.com/api/v3/ip_addresses/{ip}',
            headers={'x-apikey': api_key}
        )
        results[ip] = response.json()
    
    return results

def check_alienvault(iocs):
    """Query AlienVault OTX for threat intelligence"""
    # AlienVault OTX API integration
    pass

def calculate_risk_score(virustotal, alienvault):
    """Calculate overall risk score based on threat intel"""
    # Risk scoring logic
    pass

What I Learned

Lesson 1: Prevention is Good, Detection is Essential

You can't prevent every attack. Detection + rapid response is critical.

Action: Enable GuardDuty, Security Hub, Azure Defender in all accounts/subscriptions.

Lesson 2: Automation Prevents Human Delay

Manual incident response = hours/days delay. Automated = seconds.

Action: Lambda functions for automated response to common threats (disable credentials, isolate instances).

Lesson 3: Centralized Visibility Enables Correlation

Siloed security findings = missed attack patterns.

Action: Security Hub aggregation, SIEM integration, centralized dashboards.

Lesson 4: High Severity Requires Immediate Escalation

Critical findings sitting in queue = breach.

Action: PagerDuty integration for high-severity findings, 24/7 SOC monitoring.

Lesson 5: Forensics Require Immutable Evidence

Attackers delete logs and destroy evidence if they can.

Action: Forensic snapshots, immutable log storage, automated evidence collection.

Next: Migration and Workload Onboarding - Application discovery, migration planning, cutover strategies, brownfield landing zone adoption.

PreviousMulti-Environment Management NextMigration and Workload Onboarding

Last updated 1 month ago

hashtagIntroduction

hashtagAWS Security Services Integration

hashtagGuardDuty Multi-Account Setup

hashtagSecurity Hub Centralization

hashtagAutomated Incident Response

hashtagLambda Function: Automated Response

hashtagAzure Security Services

hashtagAzure Defender Integration

hashtagVulnerability Management

hashtagAWS Inspector Integration

hashtagContainer Vulnerability Scanning

hashtagThreat Intelligence Integration

hashtagFeed Security Alerts into SIEM

hashtagWhat I Learned

hashtagLesson 1: Prevention is Good, Detection is Essential

hashtagLesson 2: Automation Prevents Human Delay

hashtagLesson 3: Centralized Visibility Enables Correlation

hashtagLesson 4: High Severity Requires Immediate Escalation

hashtagLesson 5: Forensics Require Immutable Evidence