AWS DevOps Pro Certification Blog Post Series: Incident and Event Response

Jun 06, 2019 - Reading time: 7 minutes.

This is part of the blog post series: AWS DevOps Pro Certification

What does the exam guide say?

To pass this domain, you'll need to know the following:

Troubleshoot issues and determine how to restore operations
Determine how to automate event management and alerting
Apply concepts required to implement automated healing
Apply concepts required to set up event-driven automated actions

This domain is 18% of the overall mark for the exam.

What whitepapers are relevant?

According to the AWS Whitepapers for Security and Compliance we should look at the following documents:

Other whitepapers as recommended by product pages:

What services and products covered in this domain?

Amazon GuardDuty - thread detection
Amazon Inspector - best practice in security
Amazon Kinesis has separate pages for each sub-product
- Kinesis Video Streams allows you to securely stream video from connected devices for analytics, machine learning and other forms of processing.
- Kinesis Data Streams is scalable and durable real-time data stream service
- Kinesis Data Firehose allows you to capture, transform and load data streams into AWS data stores (S3, ) whilst allowing you to perform near real-time analytics with existing Business Intelligence tools
- Kinesis Data Analytics is the next tier up when you've outgrown CloudWatch for analytics. Allowing you to process data streams in real time using SQL or Java.

What about other types of documentation?

If you have the time, by all means, read the User Guides, but they are usually a couple of hundred pages.

Alternatively, get familiar with the services using the FAQs:

You're all expected to know the APIs

Before you panic, you'll start to spot a pattern with the API verbs.

And the CLI commands

Amazon GuardDuty
Amazon Inspector
Amazon Kinesis
- Kinesis Video Streams has 3 different subcommands: kinesis-video-archived-media, kinesis-video-media, kinesisvideo
- Kinesis Data Streams has no CLI subcommands
- Kinesis Data Firehose has no CLI subcommands
- Kinesis Data Analytics

As with the API, there are patterns to the commands.

Please put down your weapon. You have 20 seconds to comply.

Quote: ED-209, Robocop (1987)

This is another domain, that probably requires awareness of the products rather than actual use (especially in the case of the Kinesis suite). As we'll see Amazon GuardDuty and Amazon Inspector do have an immediate use for small to medium-sized business if you don't have an Information Security function in your company.

As the title of this section suggests, this is domain focussed on how to responding to incidents and events. Incidents are usually around a security context. whereas events are often related to a data stream.

I'll be covering all the products in this domain within this post since it's a relatively small domain with very little opportunities to provide practical hands-on experience using the AWS CLI.

What?

Amazon GuardDuty is a threat detection service that analyses meta-data generated by your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Log, and DNS Logs. It can detect:

Reconnaissance - port scanning, login failures, unusual API activity and access from a known bad IP.
Instance compromise - malware, outbound denial of service activity, unusually high volumes of traffic, activity from a known bad IP, data exfiltration via DNS
Account compromise - attempt to disable AWS CloudTrail logging, unusual instance or infrastructure launches (think: GPU instance types for cryptocurrency mining), resources being spun up in regions outside of normal use, activity from a known bad IP.
Data retention for a GuardDuty-generated finding is 90 days.

Amazon Inspector is another automated security assessment service just like GuardDuty, but instead of identifying issues with your account or network activity it primarily focusses on your EC2 instances. It has built-in rules (created and maintained by AWS security researchers) to check for access to your instances from the internet, remote root login being enabled, or vulnerable software versions installed.

Amazon Kinesis is a suite of products:

Kinesis Video Streams accepts video streams from devices and allow you to perform analytics, machine learning (Amazon Rekognition Video and Amazon SageMaker) and other forms of processing.
Kinesis Data Streams is a scalable and durable real-time data streaming service that can capture high volumes of data (gigabytes of data per second) from hundreds of thousands of sources. You can then take this data and process it using Kinesis Data Analytics, Spark or code running on an EC2 instance (API) or AWS Lambda.
Kinesis Data Firehose allows you to take your high volumes of streaming data and load them into data stores (S3, Amazon Redshift, Amazon Elasticsearch and a 3rd party tool called Splunk) for analytics.
Kinesis Data Analytics can take data streams from Kinesis Data Firehose and Kinesis Data Streams and perform queries against the data using SQL or Java.

Why?

Amazon GuardDuty provides a comprehensive threat detection service, whilst it does offer reporting through a dashboard, the response workflow does require more work i.e. you're expected to write the tooling (AWS Lambda) around the events (CloudWatch). This is probably why Amazon is touting partners who can help implement these workflows.

Amazon Inspector as with GuardDuty, you get an all-around security assessment tool for your EC2 instances.

The Amazon Kinesis suite provides managed services that can handle large amounts of data. Whilst you run your own Apache Kafka environment, you would need a large team to support it setup and on-going maintenance. Trivia: Amazon also provides a managed service for Apache Kafka called Amazon Managed Streaming for Apache Kafka. The key take away for why Kinesis exists is that it has specialist tooling for Video and High Volume Data streams. Because of tight integration into AWS data services Kinesis Data FireHose can load large volumes of data into their services with a minimal amount of configuration. Kinesis Data Analytics can be used to perform analytics against these data streams or when you've outgrown the likes of CloudWatch for log analysis. Finally, all of these products in this suite can be used together or separately, although Kinesis Data Analytics does require the source to come from Kinesis Data FireHouse or Kinesis Data Streams

When?

Amazon GuardDuty should be used when you don't want the overhead of managing your own threat detection and response system. To do this yourself you would need to use tools like Snort or Tripwire and maintain subscriptions to 3rd party threat intelligence sources like Proofpoint and CrowdStrike.

Amazon Inspector is a complementary tool to Amazon GuardDuty, so the chances are if you're using it (Amazon GuardDuty), you should be using Amazon Inspector.

Some of the use cases for Amazon Kinesis are:

Capturing live video streams of cars, identifying the license plates and then taking action.
Transform batch loading (and subsequent overnight reporting), into the real-time analysis.
Collecting telemetry data from a fleet Internet of Things devices and reacting to the data using other AWS services like AWS Lambda.

How?

Amazon GuardDuty provides a 30-day free trial, after that you charged by the volume of events (CloudTrail) and volume of data (Amazon VPC Flow Log and DNS log). The key things (also that form the navigation menu) you need to be aware of in the service page in the AWS Console are:

Findings are potential security issues discovered by GuardDuty.
Settings are where:
- permissions for the service are defined
- Set the interval that GuardDuty sends events to CloudWatch
- Preload GuardDuty with sample findings
- Suspend or disable GuardDuty
Lists are the list management page where you can upload a list of Trusted IPs or Threat Lists (malicious IP addresses). You can upload have a max of 6 Threat Lists per AWS account per region.
Accounts - to manage Master (admin) and Member (users) Accounts within the service
What's New - features announcement (you can also subscribe via SNS topic)
Free trial - how much time you have left

Amazon Inspector provides a 90 day free trial for the first 250 instance assessments. The key things to be aware of are:

Agents - can analyse your EC2 instances without the use of it's agent, but you will be only limited to Network Reachability rules.
Assessment target is a collection of EC2 instances group together using AWS tags.
Assessment template
Finding
Rule packages there are two categories: Network and Host assessments.
- Important: you can only run the Network assessment rule if you don't have the agent installed.
- Rules within these categories are
  - Network assessment
    - Network Reachability
  - Host assessment
    - Common Vulnerability and Exposures
    - Centre for Internet Security (CIS) Benchmarks
    - Security Best Practices for Amazon Inspector
    - Runtime Behaviour Analysis
Telemetry is data (behaviour, configuration, etc) collected by Amazon Inspector from the EC2 instance when an assessment is run.

Amazon Kinesis does require development to utilise the services. The examples provided require quite a bit of setup. It would be nice if you could pre-load the services with sample data much as you can with Amazon GuardDuty or Amazon Inspector.

AWS DevOps Pro Certification Blog Post Series

Intro
Domain 1: SDLC automation
Domain 2: Configuration Management and Infrastructure as Code
Domain 3: Monitoring and Logging
Domain 4: Policies and Standards Automation
Domain 5: Incident and Event Response
- Amazon GuardDuty
- Amazon Inspector
- Amazon Kinesis
  - Kinesis Video Streams
  - Kinesis Data Streams
  - Kinesis Data Firehose
  - Kinesis Data Analytics
Domain 6: High Availability, Fault Tolerance, and Disaster Recovery