A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?
To meet the requirements of blocking detected communication from a suspicious instance until investigation and potential remediation can occur, the best approach is to replace the security group of the suspicious instance with one that does not allow any connections. By doing so, it effectively isolates the instance without affecting other parts of the network. This method leverages AWS Security Hub to ingest GuardDuty findings and an AWS Lambda function to make the necessary security group changes, ensuring a swift and automated response to the detected threat.
Let Guardduty detections be sent to Security Hub as findings is a simple and elegant way. https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html Use eventbridge to respond by invoke Lambda. Amazon Kinesis data stream not needed. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html Suggest to only block specific port 389 against thse suspicious EC2 instance instead of isolate it in a security group, to minimize the impact while it has not been verified as a confirmed attack.
C SecurityGroup is a simpler way of isolating a suspicious instance, unlike Network Firewall that is a paid service. EventBridge is needed to relay events to Kinesis Data Stream. At that point, what is the need to Kinesis Data Stream? Lambda function could be invoked directly from EventBridge. For that, I'd go with C.
To isolate there is nothing more powerful that an ACL at subnet level, which immediately denies traffic in any direction. Wishing to automate, there is no choice to use ACL, as you do not know the exact IP of the source is attacking, thus, you do apply security group restiction. The need of Kinesys Data Streams is to process real-time events while happening. A firewall you do not usually automate at his has complex features needs to be set via IaC or console.
Correcting as RDP handles directly in layer 3. C
Answer B correct. Requested first scenario of RDP brute force attack. Neither NACL, Network Firewall, and Security Group support to block, only WAF help to block traffic based on pattern.
WAf only for http traffic :)
Would go with C since it has asked specifically for automating the security findings... and that's where Security Hub comes into play with EventBridge combination..
AWS Network Firewall is a better option unless the question wants the most cost-effective method. https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-group-stateful-creating.html#:~:text=Stateful%20actions.-,To%20define%20IP%20sets%20and%20ports%20as%20variables%20that%20you%20can,variables%20and%20values%20for%20IP%20set%20variables%20and%20Port%20variables.,-To%20add%20one
C SecurityGroup is a simpler way of isolating a suspicious instance, unlike Network Firewall that is a paid service. EventBridge is needed to relay events to Kinesis Data Stream. At that point, what is the need to Kinesis Data Stream? Lambda function could be invoked directly from EventBridge. For that, I'd go with C.
C is the answer
When GuardDuty is there, do not understand what is requirement to integrate Security Hub.
Hello, correct my understanding agree with answer C.
D is the answer. we need identify the best method - tech and cost. implied. WAF is layer 7 prevention . FW is layer 3 - 7. WEB ACL can prevent layer 7. RDP is mostly Layer 7. password guessing etc https://repost.aws/knowledge-center/waf-prevent-brute-force-attacks
RDP is L3 (IP) + L4 (Port 3389). it is NOT L7.
Here is some basics: WAF protects the port 443 / 80. RDP is different port and nothing to do with Layer 7 nor WAF
I would go with C, as option D will block any connection to the Ec2 machine, which is not what you want, and security groups are easier and at the endpoint level.
1. No point to use Kinesis Data Stream/analytics/Apache flink to stream and process event. 2. Neither WAF nor NACL is an effective solution to the mentioned case 3. GuardDuty findings can be sent directly to Amazon EventBridge to trigger action, but deploying SecurityHub is not entirely wrong. 4. AWS Network Firewall is better suited to block suspicious instances. Option C is the correct answer.
While Option C is technically feasible and provides robust network-level protection using AWS Network Firewall, it is more complex and might be an overkill for the specific task of quickly isolating individual EC2 instances. Option D offers a more direct and simpler approach by replacing the security group of the suspicious instance, which is generally easier to manage and quicker to implement in the context of isolating instances based on GuardDuty findings. Therefore, while Option C can meet the requirements, Option D is more appropriate and efficient for the specific task of blocking communication from suspicious instances quickly and effectively.
Option B. We have to consider that Security team has to be noticed. There is nothing about that on the other answers.
No A: Kenesis is for a stream of data. Guardduty will report (raise alarm) but no need of apache flink Not B: WAF is for a web application (80, 443), the attack will be initiated from a EC2 (internal company machine) it doesn't specify the target location local or extern, but it will be RDP Not D- SG will not block outbound traffic (stateful). SG will not be enough, the ec2 initiates the attack C is the simplest and more correct as FW will block any traffic from/to ec2