DEV Community: Orhan Kamo

What is VPC Flow Log ? How to Enable VPC Log

Orhan Kamo — Mon, 04 Nov 2024 15:18:09 +0000

With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

Capture information about IP traffic going into your interfaces:
• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface (ENI) Flow Logs
• Helps to monitor & troubleshoot connectivity issues
• Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
• Captures network information from AWS managed interfaces too: ELB,
RDS, ElastiCache, Redshift, WorkSpaces, NATGW, Transit Gateway…

VPC Flow Logs –Traffic not captured

• Traffic to Amazon DNS server (custom DNS server traffic is logged)
• Traffic for Amazon Windows license activation
• Traffic to and from 169.254.169.254 for EC2 instance metadata
• Traffic to and from 169.254.169.123 for Amazon Time Sync service
• DHCP traffic
• Mirrored traffic
• Traffic to the VPC router reserved IP address (e.g., 10.0.0.1)
• Traffic between VPC Endpoint ENI and Network Load Balancer ENI

We can use query with Athena ( top 10 ip adress)

We enable VPC Flow and we sent logs to S3 and CloudWatch

We created VPC

aggreation interval 10 minutes because 1 minute means to many logs and it can be expensive and if we want to sent logs to CloudWatch, we need IAM role

Right now we sent logs to S3.

What is Aws Macie ? How to discover data with Macie ?

Orhan Kamo — Wed, 23 Oct 2024 05:31:44 +0000

The size and value of data is increasing day by day, and where the data is and who accesses it has become the most important job of data security. While we can make data discovery with data lost prevention (DLP) products, let's examine how we can do this in our aws s3 buckets.

Amazon Macie discovers sensitive data using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. Macie work with EventBridge and Therefor you can take action ( for example using with Lambda, SNS ).

What we can discovery ?
PII
Credirt Cart
Aws Account
Bank Account
IBAN, Tax ID ...
what you need ( with Regular Expression )

Scenario
There is a bucket called "s3macie" and we will upload a text containing a Turkish Identity number here. Then we create a job by enabling Macie and wait for it to find it in the scan.
We created a bucket named s3macie and enable Macie.

Get started

Enable Macie

We create job ( Discover data )

Choose S3 Buckets

Step: Refine the Scope ( Schedule job, include , exclude)

Step: Select Managed Data Identifiers ( select pattern or list of custom regular expression part)

we want to discover Turkish Identity Number .That's why i go with "custom"

List of custom pattern . We create new condition here

Create new

I write regex and test Turkish Identity Number ( rigt side )

Back to "Select custom data identifiers"

Step: Enter General Setting enter value and "Next"

End we create the job

We upload the file ( include test Turkish Identity Number

Finally We find critical data on S3 buckest with Macie

Aws GuardDuty and S3 Malware Protection with GuardDuty

Orhan Kamo — Mon, 21 Oct 2024 10:13:10 +0000

Guardduty is one of the must-have cybersecurity services among AWS services. Threat analysis, a suspicious login that did not exist before (for example, it can be a request from an unexpected country). It can perform discovery with threat intelligent to protect AWS accounts. It can analyze using mainly the following services and logs.
· CloudTrail Events Logs: unusal API callls, unauthorized deployments

· CloudTrail Managment Events: create VPC subnet, create trail

· CloudTrail S3 Data Events: get object, list object, delete object

· VPC Flow Logs: unusual internal traffic, unusual IP address

· DNS Logs: compromised EC2 instances sending encoded data within DNS queries
It also analyzes EKS Audit Logs, RDS and Aurora, EBS, Lambda, S3 Data Events.
In addition to blocking GuardDuty CryptoCurrency attacks, you can take automatic actions with EventBridge. Let's examine a sample event formation with the diagram below.

As can be seen above, we receive logs from the log sources on the left with GuardDuty and let's assume that a suspicious situation has occurred. GuardDuty sends this information with EventBridge and we can send a notification with SNS or take action automatically using Lambda.
First I create an S3 bucket.
Now let's do a scenario of using GuardDuty. In the scenario I will use an s3 bucket and try to load eicar here.

I created S3 bucket ( name testgaurd) and go to the guardDuty.

We do not need all-features. Click "GuardDuty Malware Protection for S3 only"

Browse S3 ad choose testguard bucket.

There is an important point here. We need to assign a role, otherwise we cannot access and enable GuardDuty S3 bucket because it is not authorised. For the permissions that should be here, we say View permission, copy the ones here and then add a role and policy on the IAM side with Create role and attached role on GuardDuty permission

Finally wecan upload Eicar ( malware file).

And GuardDuty detect malware file