AWS Cloud Operations Blog

Centrally detect and investigate security findings with AWS Organizations integrations

Detecting security risks and investigating the corresponding findings is essential for protecting your AWS environment from potential threats, ensuring the confidentiality, integrity, and availability of your data and resources for your business needs. AWS provides a range of governance and security services such as AWS Organizations, AWS Control Tower, and AWS Config along with many others, to help you continuously monitor and analyze your environment for potential risks, enabling you to maintain a robust security posture and help safeguard your cloud resources.

In the previous blog posts in this series Identify AWS resources at risk across your multi-account environment with AWS Organizations integrations, and Protect your AWS resources from unauthorized access using AWS Organizations integrations, we have so far highlighted how you how to gain visibility in the resource configurations and implement controls to protect your AWS resources. In this blog post, we will show you how you can set up security services to investigate findings and quickly mitigate using services such as Amazon GuardDuty, AWS CloudTrail, AWS Security Hub, Amazon Inspector, and AWS Firewall Manager integrated with AWS Organizations.

Pre-requisites

  • You are familiar with AWS Organizations service along with the multi-account strategy concepts.
  • You have set up a multi-account environment with Security OU with Log Archive and Security Tooling accounts to ingest all the logs and security findings across your organization required for detecting and investigating the security findings.
  • (Optional) A Network Account for your central network security needs.

Technical Overview

If you are part of the SecOps, Network team, or Platform security team in your organization, you are exploring ways to efficiently and quickly detect and investigate security findings. Let’s discuss best practices for detecting and investigating security findings to help strengthen your organization’s security posture. Implementing a multi-account strategy can be an effective way to centralize security, isolating your AWS resources or granting access to accounts based on common access requirements in your organization, resulting in minimizing risks.

The Image 1 shows an architecture diagram of a multi-account environment following best practices for centralized detection and investigation needs. For illustration, we have shown four organizational units (OUs) – Infrastructure OU, Security OU, Production OU, and Non-production OU. Within Infrastructure OU, you can have Network Account and Security Tooling Account and configure the networking and security tooling services to be able to centrally manage them for your organization.

For AWS Control Tower customers, a Security OU is deployed by default. Customers cannot include accounts under this default Security OU, unless you change the OU name. Changing the OU name unlocks the ability to follow this walkthrough and create your own custom Security OU.

Image 1: An architecture diagram of a multi-account environment following best practices for efficient detection and investigation needs

Image 1: An architecture diagram of a multi-account environment following best practices for efficient detection and investigation needs

While the above OU structure along with a Network Account and Security Tooling Account geared towards common use cases are recommended, it is your organization’s responsibility to define an OU structure that aligns with your distinct requirements relevant to isolation and automation.

Walkthrough

The Security Tooling Account within Security OU in your organization is the operating space for your security engineers. This is the designated place we recommend for most of your centralized security services, like Amazon Inspector, Amazon GuardDuty, the aggregators for AWS Config, and AWS Security Hub.

Enable Amazon Inspector with AWS Organizations for vulnerability detection

Amazon Inspector is a service for detecting software vulnerabilities and unintended network exposure across your AWS workloads, including EC2 instances, Lambda functions, and container images in ECR. Enabling Amazon Inspector with AWS Organizations allows for comprehensive vulnerability detection across your entire organization, ensuring consistent security posture and compliance. We recommend integrating Amazon Inspector with AWS Organizations so you can centrally manage vulnerabilities across your resources in any AWS account within the organization. To set it up, you need to delegate the administration of Amazon Inspector to your Security Tooling Account, and then add the member accounts you want to monitor, or activate the option to automatically scan following activation steps, under the multi- account environment guide. By delegating Amazon Inspector to a member account, you decentralize the responsibility for vulnerability management and assessment across your AWS environment. It enables security teams to independently manage and analyze findings from Inspector scans without relying on the management account used for organizational governance tasks. The Image 2 shows which accounts are enrolled or enabled within Amazon Inspector from your delegated administrator account, and start monitoring them from this console.

Image 2: Amazon Inspector dashboard showing vulnerability posture across AWS accounts

Image 2: Amazon Inspector dashboard showing vulnerability posture across AWS accounts

Understanding Amazon Inspector findings

Let’s now consider the type of Amazon Inspector findings in detail. Navigate to the Amazon Inspector console and click on Findings. As shown in the Image 3, you will view a list of all the findings you have across all your accounts, the impacted resource, and the severity, as well as a link to the CVE for the vulnerability.

Image 3: Amazon Inspector findings

Image 3: Amazon Inspector findings

Click one of these vulnerabilities. A new window opens providing additional details such as CVSS score details, the cause of the vulnerability, and steps to remediate as shown in the Image 4.

Image 4: Detailed view of Amazon Inspector detected vulnerability

Image 4: Detailed view of Amazon Inspector detected vulnerability

You can read the Automate vulnerability management and remediation in AWS using Amazon Inspector and AWS Systems Manager blog post series to prioritize the resolution of findings.

Enable Amazon GuardDuty with AWS Organizations for threat detection

While Amazon Inspector analyzes your workloads and detects software vulnerabilities, you can use Amazon GuardDuty to analyze your entire AWS environment, including your AWS accounts, access to the data stored in Amazon Simple Storage Service (Amazon S3) buckets, etc.

GuardDuty analyzes and processes Foundational data sources, such as AWS CloudTrail management events, AWS CloudTrail event logs, Amazon VPC flow logs (from Amazon EC2 instances), and DNS logs. AWS CloudTrail plays a crucial role in investigating security findings across your organization by capturing API activities from all AWS services within your accounts. By leveraging CloudTrail’s centralized logging across an organization, event history, organizational support, and notification capabilities, Amazon GuardDuty can effectively detect and investigate security findings across your entire organization. This visibility and audit trail can help you quickly identify and respond to potential security threats, policy violations, or unauthorized activities.

We recommend enabling GuardDuty with Organizations and set up a delegated administrator. By delegating GuardDuty to a member account, you decentralize security responsibility, enabling security teams to independently analyze findings across your AWS environment. This approach provides ownership and independence to the security teams while keeping the focus of the management account on key organizational governance tasks. Image 5 shows Amazon GuardDuty multi-account view from the delegated administrator account.

Image 5: Amazon GuardDuty multi-account view from the delegated administrator account

Image 5: Amazon GuardDuty multi-account view from the delegated administrator account

Analyze GuardDuty findings

Let’s analyze a few findings with GuardDuty across an organization in detail. A GuardDuty finding presents the potential security risks detected within your organization including network protection, malware scans for your storage, and runtime analysis of your compute and container resources. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment. Amazon GuardDuty provides three severity levels (Low, Medium, and High) to help you prioritize their response to potential threats. Let’s take an example of an event generated by disabling one of the S3 bucket’s server access logging across 2 accounts in an organization. Since GuardDuty was enabled for the organization that these accounts are part of, this triggered Stealth:S3/ServerAccessLoggingDisabled finding. To view the findings, you can go to GuardDuty delegated administrator account, navigate to the GuardDuty console. Under Findings, you can view two new findings as shown in Image 6.

Image 6: GuardDuty S3 finding of server access logging disabled

Image 6: GuardDuty S3 finding of server access logging disabled

This finding informs you that S3 server access logging was disabled for the bucket. If it is disabled, no logs are created for any actions taken on that specific S3 bucket, unless S3 object level logging is enabled. To investigate the S3 policy finding, click on the finding Stealth:S3/ServerAccessLoggingDisabled.

The finding details include information about what happened, which AWS resources were involved in the suspicious activity, when this activity took place, and other information, as shown in Image 7.

Image 7: GuardDuty S3 finding detailed view

Image 7: GuardDuty S3 finding detailed view

To understand the finding format, refer GuardDuty finding format.

You can also set up CloudWatch custom events to notify you of GuardDuty findings at organization level.

Set central firewall rules in your organization

AWS Firewall Manager provides a centralized way to configure and manage network security across multiple AWS accounts and resources. It simplifies security administration, ensures consistent policies, and offers protection against common threats like DDoS attacks through integration with services like AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. We recommend enabling Firewall Manager with Organizations and appointing the Network Account as a delegated administrator. Setting up a delegated administrator for AWS Firewall Manager allows for distributed management and control over network security policies across multiple accounts. It ensures consistent enforcement, streamlines updates, and enhances security posture while reducing administrative overhead on the management account.

To get started, in your management account, you can set a delegated administrator for Firewall Manager to your Network Account in your organization. Log in to your Network Account, navigate to the Firewall Manager console, and click on getting started. To create services and policies through Firewall manager you need to configure AWS Config across the organization or in the accounts you would like to manage. Here is a guide to enable AWS Config.

Feeding the network logs and details: You can create and apply a network firewall policy across your organization to centrally manage the AWS accounts and resources that the firewall applies to and Firewall Manager will automatically gather compliance reporting and usage through AWS Config. Additionally, you can configure logging for AWS Network Firewall to gain detailed insights into network traffic, such as information about the time the AWS Network Firewall’s stateful engine received a packet and detailed packet information.

Identifying the threats and vulnerability in your organization’s network: We recommend you integrate your Firewall Manager with AWS Security Hub so that all the information collected as a result of above mentioned steps is then sent to your centralized deployment of AWS Security Hub, where your central SecOps team can investigate threats and vulnerabilities, which will result in a faster resolution when security incidents occur.

And since you are setting up a central network, you can also leverage other tools for operational efficiency, such as Network Access Analyzer within your organization. It allows you to create network access paths, allowing you to quickly identify what portions of your network have access to what resources. You can follow the steps on this blog post to learn how to centrally deploy rules, and refer to the AWS Network Firewall best practices. Okay, so you are able to set central Firewall rules, and apply them across all your applications and resources within AWS. The findings from the logs, and the traffic patterns now need to be analyzed, and even more quickly resolved! You may be wondering how to keep track of all the relevant high risk findings, and detect if any of them put your organization at risk. This is where AWS Security Hub comes into play. Let’s now dive into classifying and prioritizing the findings in Security Hub.

AWS recommends to create a Network Account to manage networking resources across an AWS organization. Delegating the administration of your networking services to the network account provides the network team an environment to independently work and examine traffic, build and design security features, and easily deploy them across an entire AWS organization.

View security findings from multiple AWS services across multiple accounts

GuardDuty can be integrated with other AWS security services like Security Hub, CloudTrail, Amazon CloudWatch, etc. We recommend integrating Amazon Inspector and GuardDuty with Security Hub and AWS Organizations to have a complete view of findings across multiple accounts in your organization. When you enable both GuardDuty and Security Hub in your organization, the integration between them is enabled automatically and GuardDuty immediately begins to send findings to Security Hub.

Aggregate, classify, and understand your findings in AWS Security Hub Security Hub is a cloud security posture management (CSPM) service designated for your security teams. Security Hub findings are integrated with AWS Control Tower. You can also integrate it with AWS Organizations. If you are using Security Hub already in a single account, we recommend you integrate it with AWS Organizations. We also recommend you to designate a the Security Tooling Account as a delegated administration for Security Hub.

By integrating Security Hub with your AWS Organizations, your security teams can use Security Hub to aggregate all the findings, from all the AWS accounts and different security services from your organization in one place, including Network Firewall, GuardDuty, CloudTrail, AWS Config, and IAM Access Analyzer.

Note: Before you enable AWS Security Hub across your organization, note that you will need to enable AWS Config on the Regions you are interested in monitoring your resources.

Once all the necessary information is fed to Security Hub, you can view recommended insights based on the security standards you configure as shown in the Image 8. Security Hub performs automated checks against all the information gathered, and provide a normalized outcome that can be easily fed into your Security Information and Event Management (SIEM).

Image 8: Security Hub Insights providing visibility into the findings

Image 8: Security Hub Insights providing visibility into the findings

AWS Security Hub provides a set of managed insights to quickly get you an overview of what’s happening in your environment, but you can create custom insights on top of what comes by default. This allows you to tailor the recommendations given for specific security and compliance needs required to meet your business needs. By creating custom insights, AWS Security Hub becomes a highly customizable security monitoring and compliance tool, enabling you to maintain a comprehensive and tailored security posture across your AWS environment. Image 4 shows the Security Hub Insights in the console with some example insights. You can filter and organize the insights depending on your business needs, such as by resource, the type of recommendation you need to monitor actively, etc.

Let’s walk through an example. Security Hub provides a finding where an EC2 instance is in violation of one of the security standards you configured. To investigate this issue, you can simply follow these steps:

  • In the Security Hub console, in the left navigation pane, choose Findings.
  • To easily find specific findings, use the filter available in the Security Hub console. Enter Resource type into the search bar to find the filter for resource types.
  • Next, specify the AwsEc2Instance value to filter findings to only those applicable to EC2 instances.
  • Review the findings related to the EC2 instance as shown in the Image 9.
Image 9: Security Hub findings key elements

Image 9: Security Hub findings key elements

A misconfigured security group can potentially expose your EC2 instance to unauthorized access, data breaches, and other security threats. Following the steps above, you can detect potentially malicious activities occurring on an EC2 instance, due to the resource having misconfigured security groups.

Conclusion

In this blog post, we have covered a set security services such as Amazon GuardDuty, AWS CloudTrail, AWS Security Hub, Amazon Inspector, and AWS Firewall Manager etc. that you can leverage and enable with AWS Organizations to quickly detect risks, investigate issues, and respond to threats across multiple accounts in your organization. By leveraging these services and automated dashboards like Security Insights, you can gain a unified view of your security posture and take action to mitigate risks and incidents much faster across your organization. We recommend you set up delegated administrators for decentralizing the management as covered in this blog post and integrate the services discussed in this post with AWS Organizations.

We also recommend you to refer to previously published related blog post in this series Identify AWS resources at risk across your multi-account environment with AWS Organizations integrations, and Protect your AWS resources from unauthorized access using AWS Organizations integrations to identify and protect your AWS resources from risks.

We also offer solutions like Security Insights on AWS that automatically deploys security findings dashboards and help visualize data stored in Amazon Security Lake to more rapidly investigate and respond to security events. As you continue your cloud security journey, stay tuned for more prescriptive guidance and best practices from our team. If you have any questions or suggestions for future topics, please leave a comment below.

About the Author

Alex Torres

Alex Torres is a Senior Solutions Architect working with customers on the Media and Entertainment industry. He has worked with hundreds of customers worldwide building their cloud foundational environments and platforms, architecting new workloads, and creating governance strategy for their cloud environments. In his free time, he enjoys rainy days, playing videogames, walks in the mountain with his dogs, and nice cup of dry cappuccino.

Amey Bhavsar

Amey Bhavsar is a Sr. Solutions Architect at AWS, specializing in guiding enterprise clients across diverse industries. He is a core member of the Next Gen Developer Experience TFC, a Segment Retail Ambassador, and a GenAI Hero. He helps accelerate AWS cloud adoption by designing and implementing scalable and resilient architectures.

Pujah Goviel

Pujah Goviel is a Technical Account Manager at Amazon Web Services (AWS). She spends her day working with the Enterprise Support customers, solving their operational challenges, and helping them to accelerate innovation on AWS. She was a DevOps specialist prior to joining AWS and actively contributed to various technical blogs on her own blog site as well as developed various Terraform modules in the Terraform registry.

Samir Behara

Samir Behara is a Senior Cloud Infrastructure Architect with AWS Professional Services. He is passionate about helping customers accelerate their IT modernization through cloud adoption strategies. Samir has an extensive software engineering background and loves to dive deep into application architectures and development processes to drive performance, operational efficiency, and increase the speed of innovation.