#guardduty — Public Fediverse posts

New AWS::GuardDuty::PublishingDestination

Use AWS::GuardDuty::PublishingDestination resource to create a publishing destination where you can export your GuardDuty findings.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-publishingdestination.html #guardduty #cloudformation

@dob That's a big scope.

Some things we do to make our lives easier and doesn't cost $$$.

Enable #guardduty and pipe all the alerts into a slack channel (+email as well).

Enable #cloudtrail log everything to an #S3 bucket in another account. #cloudwatch alerts on auth failures (to slack + email (some go to pagerduty #infosec contact).
We also have some alerts on updates when a cidr is added to a #SecurityGroup.

Don't use #ssh or #bastion/#JumpHosts use #ssm to run automations on the hosts (package install, service restarts etc) also to get a shell on a box (if needed at all). (you can use #TransitiveTags with #RoleAssumption to give granular access).
Using #ssm for console access also logs the entire session (including someone doing sudo su - root etc!) into #S3

Use #MicroSegmentation within our #vpc. Instances behind an #alb will only accept traffic from the #alb #SecurityGroup etc.. #rds, #elasticache willl only accept traffic from instances in the appropriate #SecurityGroup. (Basically we don't use cidr ingress rules, we use security group ids) (this works across accounts in the same region with peering, but not across regions however).

#aws

HIRING: Incident Response & Cloud Security Lead, Security Engineering / Remote, USA - https://infosec-jobs.com/job/5314-incident-response-cloud-security-lead-security-engineering/ #InfoSec #infosecjobs #CyberSecurity #cybersec #CyberCareer #cyberjobs #cybertalents #security #jobsearch #techjobs #AWS #workremotely #GCFA #SIEM #guardduty