Cloud technologies are progressing at a rapid pace. Businesses are adopting new innovations and technologies to create cutting-edge solutions for their customers. However, security is a big risk when adopting the latest technologies. Enterprises often rely on reactive security monitoring and notification techniques, but those techniques might not be sufficient to safeguard your enterprises from vulnerable assets and third-party attacks. You need to establish proper security guardrails in the cloud environment and create a proactive monitoring practice to strengthen your cloud security posture and maintain required compliance standards. By using Amazon GuardDuty, Amazon Bedrock, and other AWS serverless technologies, businesses can tackle these challenges head-on and mitigate security risks effectively.
To address these challenges, there is a need to demonstrate a proactive approach for security vulnerability assessment of your accounts and workloads. This includes the use of Amazon GuardDuty, Amazon Bedrock, and other AWS serverless technologies. Such an approach aims to identify potential vulnerabilities proactively and provide users with timely alerts and recommendations, avoiding reactive escalations and other damages. Implementing a proactive security monitoring and alerting system ensures users receive personalized notifications via preferred channels like email, SMS, or push notifications. These alerts concisely summarize the identified security issues, providing succinct troubleshooting steps to fix problems promptly, without the need for escalation.
1. Activate GuardDuty in Your Account
GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior across your AWS environment. It combines machine learning (ML), anomaly detection, and malicious file discovery, using both AWS and industry-leading third-party sources to help protect AWS accounts, workloads, and data. GuardDuty integrates with Amazon EventBridge by creating an event for EventBridge for new generated vulnerability findings. This solution utilizes GuardDuty findings notifications through EventBridge to invoke AWS Step Functions, a serverless orchestration engine that runs a state machine. The Step Functions state machine invokes AWS Lambda functions to get a findings summary and remediation steps through Amazon Bedrock.
Amazon Bedrock is a fully managed service that offers a choice of high-performing foundation models (FMs) from leading AI companies. Leading AI companies such as AI21 Labs, Anthropic, Cohere, Meta, Stability AI, and Amazon provide these models via a single API, accompanied by a broad set of capabilities. These capabilities help build generative AI applications with security, privacy, and responsible AI measures. The combination of these technologies aims to create a secure environment by actively identifying, summarizing, and providing solutions for potential threats. This process improves overall efficiency and reduces the response time to security threats significantly.
By leveraging the power of generative AI FMs on Amazon Bedrock, users can quickly analyze vast amounts of security data to identify patterns and anomalies potentially indicating threats or breaches. By recognizing patterns in network traffic, user behavior, or system logs, such foundation models help pinpoint suspicious activities or vulnerabilities. Furthermore, generative AI can predict future security threats or attacks by analyzing historical security data and trends, enabling organizations to implement proactive measures to prevent breaches before they occur, enhancing the overall security landscape.
2. Assign Minimal Privilege IAM Permissions
To ensure the AWS resources perform the desired actions while maintaining security, it’s essential to assign minimal privilege IAM permissions. This involves provisioning least privilege IAM permissions for resources like Step Functions and Lambda functions. The Step Functions IAM role should have IAM policies permitting it to invoke Lambda functions and publish messages to the SNS topic. This approach prevents unauthorized access, adding an extra layer of control over the automation process.
The Lambda function must have AWSLambdaBasic ExecutionRole to publish logs and the bedrock:InvokeModel permission. Additionally, modifying the access policy of the SNS topic to only allow Step Functions to send messages to the topic further strengthens the solution’s security by restricting access to necessary components. These steps ensure that only the required entities have the necessary permissions, mitigating the risk of unauthorized access or actions.
Furthermore, it is crucial to request access to Anthropic’s Claude 3 on Amazon Bedrock. This model plays a pivotal role in analyzing and summarizing security findings, making it essential for the solution. Enabling encryption at the SNS topic to activate server-side encryption provides an extra layer of data security, ensuring all messages and logs are encrypted both in transit and at rest.
3. Deploy the Solution
Deploying the solution involves several key steps, starting with setting up a new rule for GuardDuty findings notifications on the EventBridge console. Configure the example rule to filter high-severity findings at severity level 8 and above. For a comprehensive list of GuardDuty findings, refer to the GetFindings API. This rule ensures that only critical findings trigger notifications, allowing for efficient prioritization and action on security threats.
The next step is to create a Lambda function on the console that takes the findings as input and calls the Amazon Bedrock API to get summarization and mitigation steps from Anthropic’s Claude 3. Provide proper IAM permissions to the Lambda function to invoke Amazon Bedrock APIs. Configure parameters in the environment variables to tailor the function’s behavior. Ensure modelId is set as claude-3-sonnet-20240229-v1:0, findingDetailType as GuardDuty finding, and source as guardduty to filter and evaluate GuardDuty findings accurately.
It’s essential to perform prompt engineering and follow prompting best practices. This avoids hallucinations or non-coherent responses from the large language model (LLM). To achieve coherence, use the following prompt for generating responses: You are an expert in troubleshooting AWS logs and sharing details with the user via an email draft as stated in . Do NOT provide any preamble. Draft a professional email summary of details as stated in description. Write the recipient as - User in the email and sender in the email should be listed as - Your Friendly Troubleshooter. Skip the preamble and directly start with subject. Also, provide detailed troubleshooting steps in the email draft." + "" + description + ". This prompt ensures the model’s response is concise, professional, and directly addresses the identified issue without unnecessary information.
4. Create SNS Topic and Step Functions State Machine
Next, on the Amazon SNS console, create an SNS topic to send notifications and add the emails of the subscribers. This step ensures that all important findings and mitigation steps are communicated promptly to the relevant stakeholders. Adding test subscribers initially helps verify the setup’s effectiveness before rolling it out fully.
After creating the SNS topic, proceed to create the Step Functions state machine and integrate the Lambda and Amazon SNS calls in the workflow on the Step Functions console. Add the Lambda and Amazon SNS optimized integrations to the new state machine. Ensure the appropriate IAM permissions are provided to the Step Functions role, enabling it to invoke Lambda and the Amazon SNS. This integrated workflow streamlines the process of handling security findings and delivering notifications efficiently.
Finally, add the Step Functions state machine to the EventBridge rule as the target created earlier. Ensure that the rule has proper IAM permission to invoke the Step Functions state machine. This setup automates the entire process from detecting vulnerabilities through GuardDuty, summarizing and mitigating findings through Lambda and Bedrock, to delivering notifications via SNS.
5. Test the Solution
Testing the solution involves generating sample findings on the GuardDuty console to ensure the setup works as intended. Based on the sample findings volume, test emails are triggered accordingly. This step ensures that all components of the solution are functioning correctly and communicating as planned.
When the test setup is triggered, analyze the emails sent via Amazon SNS about potential security risks. For instance, an email notification about a potential security risk in an Amazon Elastic Container Service (Amazon ECS) cluster will contain the vulnerability summary and a few mitigation steps. Such detailed emails help to swiftly address the identified vulnerabilities. Additionally, you might receive notifications about potential Bitcoin IP address communications, highlighting different types of risks.
6. Clean Up
To avoid incurring unnecessary costs once the solution has been tested and verified, complete the following clean-up steps. Delete the AWS resources associated with this solution, like the Step Functions state machine, Lambda functions, and SNS topic. Moreover, you can disable GuardDuty if it’s no longer in use to prevent S3 bucket storage costs.
Cleaning up the resources prevents any ongoing charges to your AWS account, ensuring cost efficiency. Performing these steps helps revert any changes made during the solution’s deployment, maintaining your environment’s initial state.
Conclusion
Cloud technologies are advancing rapidly, pushing businesses to integrate new innovations and create sophisticated solutions for their customers. Nonetheless, security remains a significant challenge when adopting the latest technologies. Companies often depend on reactive security measures, such as monitoring and notifying, but these might not be enough to protect against potential threats and third-party intrusions. To secure your enterprise effectively, you must establish robust security guardrails in your cloud environment and adopt a proactive monitoring approach to enhance your cloud security posture and maintain compliance standards.
Utilizing tools like Amazon GuardDuty, Amazon Bedrock, and other AWS serverless technologies can significantly help in addressing these security concerns. A proactive security strategy involves assessing vulnerabilities in your accounts and workloads before they can be exploited. This includes leveraging Amazon’s tools to detect potential risks ahead of time and providing users with timely alerts and recommendations to avoid reactive escalations and subsequent damages.
Implementing an active security monitoring system ensures users receive personalized notifications through their preferred channels, such as email, SMS, or push notifications. These alerts give concise summaries of identified security issues and clear troubleshooting steps, allowing for quick resolution without unnecessary escalation. By adopting such a proactive approach, businesses can effectively mitigate security risks and protect their valuable assets in the cloud.
