Security Hub remediations with GuardDuty Detection | Hands-on walkthrough | Cloud4DevOps
HTML-код
- Опубликовано: 28 авг 2024
- In this lab, we will configure GuardDuty to generate findings and then use Security Hub to remediate those findings:
1. Amazon GuardDuty Detects Findings; AWS Security Hub Remediates those findings.
2. AWS GuardDuty - Provides automated finding generation for EC2 Malicious IP, EC2 Brute Force Attacks
3. AWS Security Hub - Automated Remediations for AWS GuardDuty Findings with AWS Security Hub Custom Actions
Custom Lambda Function:-
----
from _future_ import print_function
from botocore.exceptions import ClientError
import boto3
import json
import os
def handler(event, context):
try:
ec2 = boto3.client('ec2')
instanceID = os.environ['INSTANCE_ID']
response = ec2.stop_instances(
InstanceIds=[
instanceID,
],
)
except ClientError as e:
print(e)
return response
----
Event Rule:-
----
{
"source": ["aws.guardduty"],
"detail": {
"type": ["Recon:EC2/Portscan"]
}
}
----
If you like the video please like, comment, share and subscribe to the channel to get more updates on technical videos.
Channel Link:- www.youtube.co...
Join Me on the LinkedIn Group for More updates:- / 13859292
Happy Learning !!!
Great illustration & explaining
Glad you liked it!
It’s nice but whenever I tried event bridge was not started the action in the security hub.its failed
Could you please help me out
@@tejasudheerkumar help me with error.. Without error i wont be able to comment. Seems either permission or linkage is missing
Thanks for the video. Couple of questions -
You hardcoded the instance Id of the compromised instance in the Lambda environment variables? How will this work in a production scenario where any instance can become compromised and tries to communicate with the malicious instance. How would you get the instance ID of the compromised instance then?
The SG of the compromised instance has ALL outbound access but no inbound access from the malicious IP address correct? If the nmap script is failing, the finding is still generated in Security hub?
0:17
0:29