Register for Holidaze, win $20,000+ in prizes!


Detective Controls: AWS Security in Q4 2023 – Part 2

We hope the initial blog around AWS security series offered valuable insights into the latest releases of AWS Security features/services, particularly in the IAM domain. Continuing the series, Part-2 zeroes in on features around Detective Controls in AWS that were released in the last quarter. 

Amazon detective controls come with sophistications and optimizations for organizations that want to secure their entire infrastructure. Moreover, these innovations create a wide platform, supporting an end-to-end secured way of accessing data and files with diverse options to customize as per security policies.

Amazon SNS supports AWS CloudTrail data event for API actions


Amazon Simple Notification Service (Amazon SNS) now supports AWS CloudTrail logging for the Publish and PublishBatch API actions. By logging these data events, you can get details on when and who made API calls to Amazon SNS. This enhances data visibility for security and operations teams, enabling governance, compliance, and operational auditing.

Amazon SNS is a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. The A2A pub/sub functionality provides topics for high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications. The A2P functionality enables you to send messages to users at scale via SMS, mobile push, and email.

Amazon Event Bridge announces support for wildcard filters in rules


Amazon EventBridge rules are the next detective control that supports wildcard filters, which enable you to match any character or sequence of characters within a string in your event payload. Support for wildcards allows you to specify the types of events you want to consume from an EventBridge Event Bus. Moreover, opening new use cases helps to optimize your event consumers.

Amazon EventBridge Event Bus is a serverless event router that enables you to create highly scalable event-driven applications by routing events between your applications, third-party SaaS applications, and other AWS services.

You can set up routing rules to determine where to send your events, allowing for application architectures that react to changes in your systems as they occur. Event Buses make it easier to build event-driven applications by facilitating event ingestion, delivery, security, authorization, and error handling. This allows every user to standardize their AWS detective controls.

Amazon OpenSearch Service now supports alerting and anomalies on dashboards


OpenSearch Service 2.9 supports the ability for customers to manage and overlay alerts and anomalies onto dashboard visualization line charts. Customers can create new, or associate existing, alerting monitors and anomaly detectors from dashboard line charts using these detective controls.

Previously, customers who used alerting or anomaly detection plugins had to move back and forth between dashboards and the plugins view. To reduce context switching between the plugins and dashboards, Amazon OpenSearch Service now allows customers to manage their alerts and anomalies without leaving their favorite dashboards.

AWS Control Tower releases 22 proactive controls and 12 AWS Security Hub Detective controls


Amazon has launched 22 new proactive controls and 10 AWS Security Hub detective controls in the AWS Control Tower controls library to help you meet regulatory requirements. These new controls are managed by AWS Control Tower and help you meet control objectives such as encrypting data in transit, encrypting data at rest, or using strong authentication.

Proactive controls block non-compliant resources before they are provisioned for services such as Amazon Athena, Amazon EMR, AWS Glue, Amazon DynamoDB Accelerator (DAX), and Amazon Neptune. The AWS Security Hub detective controls for services such as Amazon Neptune, Amazon Athena, and Amazon RDS help you detect noncompliance with resources within your accounts.

This release increases the range of controls in the AWS Control Tower controls library with the addition of controls for services such as Amazon Athena, Amazon EMR, and Amazon Neptune.

Security analytics in OpenSearch Service now supports OCSF and custom logs


Security analytics in Amazon OpenSearch Service adds native support for Open Cybersecurity Schema Framework (OCSF) formatted data. Moreover, it also provides security detection rules for OCSF data ingested from Amazon Security Lake. In addition, security analytics also supports ingesting virtually any custom log type and creating custom detection rules. The correlation engine helps reduce incident response time by analyzing and highlighting connections between potential security incidents.

Previously, customers had to map and convert OCSF data to another supported format to run security detection rules. Now, security analytics supports OCSF formatted data and includes the ability to run detection and correlation rules on this data.

Along with currently supported security event log sources, customers asked to support custom application logs. By extending the security capabilities supported for prepackaged log types to custom log types, customers can get a comprehensive view of security events across their organization. Using the correlation engine, customers can detect relationships between logs generated from different sources. It will help to reduce incident detection, analysis, and response times.

CloudWatch launches out-of-the-box alarm recommendations for AWS services


Amazon CloudWatch announces out-of-the-box, best practice alarm recommendations for AWS service-vended metrics. It provides alarm recommendations and alarm configurations for key vendor metrics. In addition, providing with the ability to download pre-filled infrastructure-as-code templates for these alarms. Furthermore, you can now see in-line descriptions for AWS service metrics across the AWS console. It enables you to easily see metric details to help you troubleshoot or assess system health.

However, Amazon supports 19 AWS services and will continue to expand support for more services that are part of detective controls. You can now easily see all metrics with recommended alarms by applying an alarm recommendation toggle. AWS has made it easier to create alarms and now you can use the alarm wizard with pre-filled configuration for the recommended alarms.

Alternatively, you can bulk download the auto-generated infrastructure-as-code for recommended alarms, so you can easily add them to your templates to automate your monitoring provisioning.

Amazon has added in-line metric information to the AWS vented metrics displayed in the console. With this information, you can see the metric description, units, and meaningful statistics, to help you understand their definition. Also, how they apply to your services. You can see metrics descriptions across the AWS console for supported AWS services.

AWS Config now supports 19 new resource types


AWS Config supports 19 more resource types for services, including Amazon AppStream 2.0, AWS Batch, AWS CodeBuild, Amazon CodeGuru Profiler, AWS Cloud Map, AWS Elastic Container Service (Amazon ECS), AWS Elemental MediaConnect, Amazon Inspector, AWS IoT, AWS IoT TwinMaker, AWS IoT Wireless, AWS Managed Service for Prometheus, Amazon Managed Streaming for Apache Kafka (Amazon MSK), Amazon Personalize, Amazon Route 53 Resolver, Amazon SageMaker, and AWS Transfer Family.

With this launch, customers can now use AWS Config to monitor configuration data for the following newly supported resource types in all AWS Regions where the supported services are available:

  • CodeGuruProfiler::ProfilingGroup
  • MediaConnect::FlowSource
  • Transfer::Certificate
  • RuleGroupsNamespace
  • Batch::SchedulingPolicy
  • ServiceDiscovery::Instance
  • Route53Resolver::ResolverQueryLoggingConfig
  • Route53Resolver::ResolverQueryLoggingConfigAssociation
  • IoT::JobTemplate
  • TwinMaker::ComponentType
  • IoTWireless::MulticastGroup
  • Personalize::DatasetGroup
  • IoT::ProvisioningTemplate
  • IoTWireless::FuotaTask
  • MSK::BatchScramSecret
  • SageMaker::FeatureGroup
  • CodeBuild::ReportGroup
  • AppStream::Stack
  • InspectorV2::Filter

Amazon Security Lake is now available in four additional Regions


Amazon Security Lake is available in AWS Regions Canada (Central), Europe (Paris), Europe (Stockholm), and Asia Pacific (Osaka). You can now automatically centralize your security data from AWS environments, SaaS providers, on-premises environments, and cloud sources into a purpose-built data lake stored in your account.

Security Lake makes it easier to analyze security data, gain a more comprehensive understanding of security across your entire organization. This is to improve the protection of your workloads, applications, and data. The security Lake automates the collection and management of your security data from multiple accounts and AWS Regions. As a result, you can use your preferred analytics tools while retaining complete control and ownership over your security data.

Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support in detective controls, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources.

AWS Config advanced queries support 41 new resource types

AWS Config supports 41 new resource types in advanced queries. Advanced queries within AWS Config is a feature. It allows you to search your AWS resources’ current configuration metadata and compliance state based on their configuration properties.

Companies can use AWS Config advanced queries to search the current configuration state of AWS resources in a single account and Region. This helps to search across accounts, AWS Regions, or AWS Organizations for the newly supported resource types.

AWS Config support for these new resource types in advanced queries is available to AWS Config customers. It is available in all supported Regions where the underlying resource type is available.

Newly supported resource types:

  • ACMPCA::CertificateAuthority
  • APS::RuleGroupsNamespace
  • Amplify::Branch
  • AppConfig::HostedConfigurationVersion
  • AppIntegrations::EventIntegration
  • VirtualRouter
  • AppRunner::Service
  • Athena::PreparedStatement
  • Batch::SchedulingPolicy
  • CodeGuruProfiler::ProfilingGroup
  • CustomerProfiles::ObjectType
  • EC2::CapacityReservation
  • ClientVpnEndpoint
  • EC2::IPAMScope
  • Evidently::Launch
  • Forecast::DatasetGroup
  • GreengrassV2::ComponentVersion
  • GroundStation::MissionProfile
  • Kendra::Index
  • KinesisVideo::Stream
  • Logs::Destination
  • MSK::Configuration
  • MediaConnect::FlowSource
  • MediaConnect::FlowVpcInterface
  • Tailor::PlaybackConfiguration
  • NetworkManager::CustomerGatewayAssociation
  • NetworkManager::LinkAssociation
  • Personalize::Dataset, Schema, Solution
  • Pinpoint::EmailChannel
  • Pinpoint::EventStream
  • ResilienceHub::App
  • Route53Resolver::ResolverQueryLoggingConfig
  • Route53Resolver::ResolverQueryLoggingConfigAssociation
  • S3::AccessPoint
  • ServiceDiscovery::Instance
  • Transfer::Certificate


AWS Trusted Advisor adds 64 new checks powered by AWS Config


AWS Trusted Advisor adds a new operational excellence check category and integrates with AWS Config to deliver 64 new best practice checks across all categories. Trusted Advisor continuously evaluates your AWS environment. This will be using best practice checks in the categories of cost optimization, performance, resilience, security, operational excellence, and service limits. In addition, it recommends actions to remediate any deviations from best practices.

The new best practice checks are powered by AWS Config managed rules. These rules are predefined, customizable rules used to evaluate the compliance state of your AWS resources.

The new operational excellence checks enable you to apply AWS best practices to operate your AWS environment effectively, and at scale. You can use the recommendations from the new checks to support your AWS Well-Architected Framework Review. As a result accelerating alignment with AWS best practices.

The new checks are available to AWS Business Support, AWS Enterprise On-Ramp Support, and AWS Enterprise Support customers. As a result, customers with these Support plans will automatically see recommendations powered by corresponding deployed AWS Config Managed Rules if AWS Config is enabled.

Amazon GuardDuty introduces new machine learning capability to enhance threat detection Controls for Amazon EKS detections


Amazon GuardDuty has incorporated new machine learning techniques to detect anomalous activities. Also indicative of threats more accurately to your Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

This new capability continuously models Kubernetes audit log events from Amazon EKS to detect highly suspicious activity such as unusual user access to Kubernetes secrets. However, it can be used to escalate privileges and suspicious container deployments with images not commonly used in the cluster or account. The new threat detections are available for all GuardDuty customers that have GuardDuty EKS Audit Log Monitoring enabled.

The new machine learning approach establishes normal behavior based on features such as pod or container configuration, autonomous system number (ASN), or user agent. In addition, this allows one of the detective controls – GuardDuty to identify abnormal activity more accurately in your Amazon EKS clusters. These are associated with known attack tactics, including discovery, credential access, privilege escalation, and execution.

Amazon CloudWatch Logs announces regular expression filter pattern support for Live Tail


Now, Regular expression support for Amazon CloudWatch Logs Live Tail filter pattern syntax, making it easier to search and match relevant log events. Customers use filter pattern syntax today in metric filters and subscription filters. Live Tail’s addition is further enhancing their experience.

With launch, customers will be able to customize their filtering to meet their needs with flexible and powerful regular expressions within Live Tail filter patterns. Now customers can define one filter to match multiple IP subnets or HTTP status codes.

Filter patterns make up the syntax that Live Tail uses to match terms in log events similar to metric filters, subscription filters, and filtering log events. Terms can be words, exact phrases, or numeric values.

AWS Audit Manager launches its first GRC integration with MetricStream


AWS Audit Manager has integrated with MetricStream, an AWS Partner, and Governance, Risk, and Compliance (GRC) solution provider. This integration allows you to import evidence of your AWS usage and configurations directly from Audit Manager into your MetricStream CyberGRC.

Instead of jumping between multiple tools to manage compliance, you can use MetricStream CyberGRC as a single location to centralize evidence. Moreover, it addresses issues for controls that assess your AWS, on-premises, and multi-cloud environments.

The integration setup is simple – as a MetricStream CyberGRC customer. However, one can use their delegated administrator account for AWS Audit Manager to establish the connection between AWS and MetricStream. In addition, the AWS Audit Manager integration with MetricStream CyberGRC allows you to map your AWS detective controls to your existing enterprise-wide GRC controls configured in MetricStream.

Inside MetricStream CyberGRC, begin by choosing the suitable detective controls such as the Audit Manager framework. This will define the relationships between your existing enterprise controls and AWS controls. After creating this control mapping, you can define the accounts in scope. This is to create an assessment that CyberGRC will manage in AWS Audit Manager on your behalf.

This triggers the AWS Audit Manager to collect evidence in the context of the mapped detective controls. As a result, you get a unified view of compliance evidence inside your GRC application.

Amazon S3 announces S3 Storage Lens groups for customized and granular visibility


Amazon S3 Storage Lens introduces Storage Lens groups, a new way to aggregate metrics using custom filters based on object metadata. Moreover, storage Lens groups help you drill down into characteristics of your data, such as distribution of objects by age, your most common file types, and more. As a result, this information helps you to better understand and optimize your S3 storage.

Amazon S3 Storage Lens is a cloud storage analytics feature that delivers organization-wide visibility into object storage usage and activity. In addition, Storage Lens groups can help you to view metrics filtered by object tag, prefix, suffix, age, or size.

For example, you can filter metrics by object tag to identify your fastest-growing datasets. In addition, you can visualize your storage based on object size and age to inform your storage archive strategy. To get started, you can create Storage Lens groups through the AWS Console, CLI, or SDK, and attach them to your Storage Lens dashboards. As part of AWS detective controls, this is another advancement one can have.

Amazon GuardDuty now supports runtime monitoring for Amazon EC2


AWS introduces Amazon GuardDuty EC2 Runtime Monitoring. It’s an expansion of Amazon GuardDuty that introduces runtime threat detection for Amazon Elastic Compute Cloud (Amazon EC2) workloads.

GuardDuty EC2 Runtime Monitoring deepens threat detection coverage for Amazon EC2 workloads. It gives you visibility into on-host, and operating system–level activities and provides container-level context into detected threats. With this extended capability, GuardDuty can help you identify and respond to potential threats that might target the compute resources within your EC2 workloads.

This could include instances or self-managed containers in your AWS environment. The instances that are querying IP addresses associated with cryptocurrency-related activity or making connections to a Tor network as a Tor relay. Now, no matter where you run your compute on AWS, you have full runtime visibility. As a result, this helps to reduce the attack surface and mitigate risks in running applications and workloads.

You can enable GuardDuty EC2 Runtime Monitoring with a few steps in the GuardDuty console. It is compatible with AWS Organizations. As a result, you can centrally enable runtime threat detection coverage. This is for accounts and workloads across the organization to simplify your security coverage.

Introducing Amazon GuardDuty ECS Runtime Monitoring, including AWS Fargate


Amazon GuardDuty ECS Runtime Monitoring, an expansion of Amazon GuardDuty that introduces runtime threat detection for Amazon Elastic Container Service (Amazon ECS) workloads. It includes serverless container workloads running on AWS Fargate.

Earlier in 2023, AWS introduced runtime monitoring for containerized workloads running on Amazon Elastic Kubernetes Service (Amazon EKS). It has given you visibility into on-host, operating system-level activities. Moreover, it provides container-level context into detected threats, such as containers repurposed for cryptocurrency mining or unusual activity. Also indicating unauthorized code execution on your container.

With GuardDuty ECS Runtime Monitoring, you get the same fully managed runtime threat detection controls for your serverless container environment. Also, security and infrastructure teams can then more easily coordinate the onboarding and maintenance of their security coverage. Now, no matter where you run your AWS-managed container workloads, you have the broadest runtime threat detection visibility available.

You can enable GuardDuty ECS Runtime Monitoring with a few steps in the GuardDuty console. However, it is compatible with AWS Organizations, so you can centrally enable runtime threat detection coverage for accounts and workloads across the organization.

Amazon Detective Controls announces investigations for IAM


Amazon Detective Controls now support the ability to automatically investigate AWS Identity and Access Management (IAM) entities for indicators of compromise (IoC). As a result, this new capability helps security analysts determine whether IAM entities have potentially been compromised or involved in any known tactics, techniques, and procedures (TTP) from the MITRE ATT&CK framework.

Detective makes it easier to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Once enabled, Detective automatically collects log data from AWS resources. It uses machine learning, statistical analysis, and graph theory to build interactive visualizations. Thus, helping you to run faster and more efficient security investigations.

You can now use Detective to automatically analyze IAM users and IAM roles, to quickly surface potential IoC and TTP. Detective also uses machine learning to highlight when the indicators are anomalous and require attention. Moreover, from the Detective management console or the newly released public APIs, you can investigate IAM resources based on Amazon Resource Names (ARNs). These will obtain a report that lists IoCs and TTPs for IAM entities involved in anomalous behavior.

There is no additional charge for this new capability, and it’s available today for all existing and new Detective customers.

Amazon Detective Controls supports log retrieval from Amazon Security Lake


Amazon Detective integrates with Amazon Security Lake, enabling security analysts to query and retrieve logs stored in Security Lake. Now, you can use this integration to get additional information from AWS CloudTrail logs and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. These are stored in Security Lake while conducting security investigations in Detective.

It is a managed security service that simplifies the investigation process by building data aggregations, summaries, and visualizations based on security findings and activity logs. Moreover, security analysts use Detective to analyze and determine the nature and extent of possible security issues more quickly.

Security Lake is a service that automatically centralizes security data from AWS environments, SaaS providers, on-premises, and other cloud sources into a purpose-built data lake. As a result, you can use Security Lake to make central log collection easier and gain a comprehensive understanding of all security events in your organization.

When deeper analysis is required, Detective provides a pre-built query in Amazon Athena focused on the timeframe and components involved. However, this speeds the process of retrieving relevant CloudTrail and VPC Flow Logs. As a result, analysts can preview logs in Athena and even modify the query to fine-tune results.

Amazon Detective Controls supports security investigations for Amazon GuardDuty ECS Runtime Monitoring


Amazon Detective Control supports security investigations for threats detected by Amazon GuardDuty Elastic Container Service (ECS) Runtime Monitoring. Detective now provides enhanced visualizations and additional context for detections on ECS. Now, you can use the new runtime threat detections from GuardDuty and the investigative capabilities from Detective. This will improve your detection and response to potential threats to your container workloads.

Detective is a managed security service designed to help security analysts investigate potential security issues across AWS accounts and workloads. Detective simplifies the process of analyzing security findings. Thus, making it easier to identify the extent of malicious activity and its root cause.

GuardDuty is a threat detection service that continuously monitors your AWS environment for malicious activity and unauthorized access. Moreover, GuardDuty now supports threat detection for runtime events in Amazon ECS, including serverless workloads on AWS Fargate.

Detective control supports the investigation of these new detections, including correlations with other findings into finding groups, graph visualizations, and other summaries for faster security investigations.

You can now customize security Detective controls in AWS Security Hub


Amazon Web Services Inc. (AWS) announced support for customer-specific inputs in AWS Security Hub detective controls. It allows you to customize your security posture monitoring in AWS. 

Security Hub is a cloud security posture management (CSPM) service with hundreds of managed and automated controls. AWS security hub allows you to monitor your cloud resources. Also, ensure they are configured securely. As a result, the new enhancements allow security teams to refine the best practices monitored by Security Hub detective controls to meet more specific security expectations.

Now, you can update certain controls with your specific password policies, retention frequencies, or other attributes. This can be done without giving up on any of the benefits of using managed controls. After you update the parameters, Security Hub will produce a new, more relevant, evaluation.

By using and customizing the managed controls in Security Hub, you eliminate the repetitive and error-prone work that is involved in creating custom controls for this purpose. As a result, you now benefit not just from the implementation of these controls being baked into Security Hub, but also from having them included in its built-in deployment and scoring mechanisms. At launch, Security Hub supports customization in more than 30 of its controls.

Announcing new finding enrichment in AWS Security Hub Detective Controls


Amazon Web Services Inc. (AWS) announces new metadata enrichment for findings aggregated in AWS Security Hub that allow you to better contextualize, prioritize, and act on your security findings. This enrichment adds resource tags, a new AWS application tag, and account name information to every finding ingested into Security Hub. Moreover, this includes findings from AWS security services such as Amazon GuardDuty, Amazon Inspector, and AWS IAM Access Analyzer. Also, findings from large and growing list of AWS Partner Network (APN) solutions.

Moreover, cloud security teams use Security Hub as their single pane of glass to centralize their security operations. As a result, security Hub consistently enriches all its findings with resource tags, a new AWS application tag, and an account name as the findings are ingested.

This new finding enrichment in Security Hub eliminates the need to build data enrichment pipelines or manually enrich metadata of security findings. It also makes it easier to fine-tune findings for automation rules, search or filter findings and insights, and assess security posture status by application in Security Hub widgets, and in related AWS applications.

Try out the demo

We will instantly email you the invitation.
The demo is 100% free – no strings attached.