Data protection in AMS - AMS Advanced User Guide
Amazon MacieGuardDutyAmazon Route 53 Resolver DNS FirewallAWS Certificate Manager (ACM) certificateData encryption in AMS

Data protection in AMS

AMS continuously monitors your managed accounts by leveraging native AWS services such as Amazon GuardDuty, Amazon Macie (optionally), and other internal proprietary tools and processes. After an alarm is triggered, AMS assumes responsibility for the initial triage and response to the alarm. Our response processes are based on NIST standards. AMS regularly tests its response processes using Security Incident Response Simulation with you to align your workflow with existing customer security response programs.

When AMS detects any violation, or imminent threat of violation, of AWS or your security policies, we gather information, including impacted resources and any configuration-related changes. AMS provides 24/7/365 follow-the-sun support with dedicated operators actively reviewing and investigating monitoring dashboards, incident queue, and service requests across all of your managed accounts. AMS investigates the findings with our security experts to analyze the activity and notify you through the security escalation contacts listed in your account.

Based on our findings, AMS engages with you proactively. If you believe the activity is unauthorized or suspicious, AMS works with you to investigate and remediate or contain the issue. There are certain finding types generated by GuardDuty that require you to confirm the impact before AMS is able to take any action. For example, the GuardDuty finding type UnauthorizedAccess:IAMUser/ConsoleLogin, indicates that one of your users has logged in from an unusual location; AMS notifies you and asks that you review the finding to confirm if this behavior is legitimate.

Amazon Macie

AWS Managed Services recommends that you use Macie to detect a large and comprehensive list of sensitive data, such as personal health information (PHI), personally identifiable information (PII), and financial data.

Macie can be configured to run periodically on any Amazon S3 bucket, automating the evaluation of any new or modified objects within a bucket over time. As security findings are generated, AMS will notify you and work with you to remediate as needed.

For more information, see Analyzing Amazon Macie findings.

Amazon Macie security

Macie is an artificial intelligence/AI powered security service that helps you prevent data loss by automatically discovering, classifying, and protecting sensitive data stored in AWS. Macie uses machine learning to recognize sensitive data such as personally identifiable information (PII) or intellectual property, assigns a business value, and provides visibility into where this data is stored and how it is being used in your organization. Macie continuously monitors data access activity for anomalies, and delivers alerts when it detects risk of unauthorized access or inadvertent data leaks. Macie service supports Amazon S3 and AWS CloudTrail data sources.

AMS continuously monitors for alerts from Macie and, if alerted, takes quick actions to protect your resources and account. With the addition of Macie to the list of services AMS supports, we are also now responsible for enabling and configuring Macie in all of your accounts, per your instructions. You can view Macie alerts and our actions as they unfold in the AWS console or supported integrations. During account onboarding, you can indicate accounts that you use to store PII. For all new accounts with PII, we recommend using Macie. For existing accounts with PII, contact us and we will turn it on in your account. As a result, you can have an added layer of protection available and enjoy all the benefits of Macie in your AWS environment managed by AMS.

AMS Macie FAQs

  • Why do I need Macie when all AMS accounts have Trend Micro and GuardDuty enabled?

    Macie helps you protect your data in Amazon S3 by helping you classify what data you have, the value that data has to the business, and the behavior associated with access to that data. Amazon GuardDuty provides broad protection of your AWS accounts, workloads, and data by helping to identify threats such as threat actor reconnaissance, instance issue, and problematic account activity. Both services incorporate user behavior analysis, machine learning, and anomaly detection to detect threats in their respective categories. Trend Micro does not focus on identifying PII and threats from them.

  • How do I turn Macie on in my AMS account?

    If you have PII/PHI stored in your accounts or are planning to store it, contact your CSDM or raise a service request to enable Macie for your new or existing accounts managed by AMS.

  • What are the cost implications of enabling Macie in my AMS account?

    Macie pricing works for AMS similar to other services such as Amazon Elastic Compute Cloud (Amazon EC2). You pay for Amazon Macie based on usage and an AMS uplift based on your SLAs. Macie fees are based on usage, see Amazon Macie Pricing, measured based on AWS CloudTrail events and Amazon S3 storage. Please note that Macie charges tend to flatten out from the second month after it's enabled because it charges based on incremental data added to Amazon S3 buckets.

To learn more about Macie, see Amazon Macie.

GuardDuty

GuardDuty is a continuous security monitoring service that uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses, or domains. GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength. For more information, refer to the GuardDuty User Guide.

To view and analyze your GuardDuty findings, use the following procedure.

  1. Open the GuardDuty console.

  2. Choose Findings, and then choose a specific finding to view details. The details for each finding differ depending on the finding type, resources involved, and nature of the activity.

For more information on available finding fields, see GuardDuty finding details.

GuardDuty security

Amazon GuardDuty offers threat detection that enables you to continuously monitor and protect your AWS accounts and workloads. Amazon GuardDuty analyzes continuous streams of meta-data generated from your account and network activity found in AWS CloudTrail Events, Amazon VPC flow logs, and Domain Name System (DNS) logs. It also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately. GuardDuty is a monitored AMS service. To learn more about Amazon GuardDuty monitoring, see GuardDuty monitoring. To learn more about GuardDuty, see Amazon GuardDuty.

All new AMS accounts have GuardDuty enabled by default. AMS configures GuardDuty during account onboardings. You can submit change requests to modify the settings at any time. GuardDuty pricing works for AMS similarly to other services such as Amazon Elastic Compute Cloud (Amazon EC2). You pay for GuardDuty based on usage and an AMS uplift based on your SLAs. GuardDuty fees are based on usage (Amazon GuardDuty Pricing), measured based on AWS CloudTrail events and volume of your Amazon VPC Flow log.

For GuardDuty in AMS, the following primary detection categories are enabled:

  • Reconnaissance -- Activity suggesting reconnaissance by a threat actor, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.

  • Instance issue -- Problematic instance activity, such as cryptocurrency mining, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.

  • Account activity -- Common patterns indicative of account activity include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, unusual instance or infrastructure launches, infrastructure deployments in an unusual AWS Region, and API calls from known malicious IP addresses.

AMS uses GuardDuty in your managed accounts to continuously monitor for findings and alerts from GuardDuty and, if alerted, AMS operations takes proactive actions to protect your resources and account. You can view GuardDuty findings and our actions as they unfold in the AWS console or supported integrations.

GuardDuty works with Trend Micro Deep Security Manager in your account. Trend Micro Deep Security Manager provides host-based Intrusion Detection / Intrusion Prevention services. Trend Micro Web Reputation services have some overlap with GuardDuty in the ability to detect when a host is attempting to communicate with a host or web service known to be a threat. However, GuardDuty provides additional threat detection categories and accomplishes this by monitoring network traffic, a method which is complementary to Trend Micro's host-based detection. Network-based threat detection allows for increased security by not allowing controls to fail if the host has been exhibiting problematic behavior. AMS recommends using GuardDuty in all your AMS accounts.

To learn more about Trend Micro, see Trend Micro Deep Security Help Center; note that non-Amazon links may change without notice to us.

GuardDuty monitoring

GuardDuty informs you of the status of your AWS environment by producing security findings that AMS captures and can alert on.

Amazon GuardDuty monitors the security of your AWS environment by analyzing and processing VPC flow logs, AWS CloudTrail event logs, and Domain Name System logs. You can expand this monitoring scope by configuring GuardDuty to also use your own custom, trusted IP lists, and threat lists.

  • Trusted IP lists consist of IP addresses that you have allowed for secure communication with your AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per region.

  • Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per region.

To implement GuardDuty, use the AMS CT Deployment | Monitoring and notification | GuardDuty IP set | Create (ct-08avsj2e9mc7g) to create a set of approved IP addresses. You can also use the AMS CT Deployment | Monitoring and notification | GuardDuty threat intel set | Create (ct-25v6r7t8gvkq5) to create a set of denied IP addresses.

For a list of the services that AMS monitors, see What does the AMS monitoring system monitor?.

Amazon Route 53 Resolver DNS Firewall

Amazon Route 53 Resolver responds recursively to DNS queries from AWS resources for public records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in all VPCs. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. For more information, see Using DNS Firewall to filter outbound DNS traffic.

To view and manage your Route 53 Resolver DNS Firewall configuration, use the following procedure:

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Under DNS Firewall, choose Rule groups.

  3. Review, edit, or delete your existing configuration, or create a new rule group. For more information, see How Route 53 Resolver DNS Firewall works.

Amazon Route 53 Resolver DNS Firewall monitoring and security

Amazon Route 53 DNS Firewall uses the concepts of rule associations, rule action, and rule evaluation priority. A domain list is a reusable set of domain specifications that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domain lists that are used in the rules. If DNS Firewall finds a match, then it handles the DNS query according to the matching rule's action. For more information about rule groups and rules, see DNS Firewall rule groups and rules.

Domain lists fall into two main categories:

  • Managed domain lists, that AWS creates and maintains for you.

  • Your own domain lists, that you create and maintain.

Rule groups are evaluated based on their association priority index.

By default, AMS deploys a baseline configuration that consists of the following rule and rule group:

  • One rule group named DefaultSecurityMonitoringRule. The rule group has the highest association priority that's available at the time of creation for each existing VPC in each enabled AWS Region.

  • One rule named DefaultSecurityMonitoringRule with priority 1 within the DefaultSecurityMonitoringRule rule group, using the AWSManagedDomainsAggregateThreatList Managed Domain list with action ALERT.

If you have an existing configuration, the baseline configuration is deployed with lower priority than your existing configuration. Your existing configuration is the default. You use the AMS baseline configuration as a catch-all if your existing configuration doesn't provide a higher priority instruction on how to handle query resolution. To alter or remove the baseline configuration, do one of the following:

If your account is operated in Developer mode or Direct Change mode, you can perform the changes yourself.

AWS Certificate Manager (ACM) certificate

AMS has a CT, Deployment | Advanced stack components | ACM certificate with additional SANs | Create (ct-3l14e139i5p50), that you can use to submit a request for an AWS Certificate Manager certificate, with up to five additional Subject alternative names (SAN) (such as example.com, example.net, and example.org). For details, see What Is AWS Certificate Manager? and ACM Certificate Characteristic.

Note

This timeout setting isn't just about the run, but also your validation of the ACM certificate through email validation. Without your validation, the RFC fails.

Data encryption in AMS

AMS uses several AWS services for data encryption, notably Amazon Simple Storage Service, AWS Key Management Service (AWS KMS), Amazon Elastic Block Store, Amazon Relational Database Service, Amazon Redshift, Amazon ElastiCache, AWS Lambda, and Amazon OpenSearch Service.

Amazon S3

Amazon S3 offers several object encryption options that protect data in transit and at rest. Server-side encryption encrypts your object before saving it on disks in its data centers and then decrypts it when you download the objects. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For more information, see Data protection in Amazon S3.

Amazon EBS

With Amazon EBS encryption, you don't need to build, maintain, and secure your own key management infrastructure. Amazon EBS encryption uses AWS KMS keys when creating encrypted volumes and snapshots. Encryption operations occur on the servers that host Amazon EC2 instances. This is done to make sure that both data-at-rest and data-in-transit between an instance and its attached Amazon EBS storage is secure. You can attach both encrypted and unencrypted volumes to an instance simultaneously. For more information, see Amazon EBS Encryption.

Amazon RDS

Amazon RDS can encrypt your Amazon RDS DB instances. Data that's encrypted at rest includes the underlying storage for DB instances, its automated backups, read replicas, and snapshots. Amazon RDS-encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption. For more information, see Encrypting Amazon RDS resources.

Amazon Simple Queue Service

In addition to the default Amazon SQS managed server-side encryption (SSE) option, Amazon SQS-managed SSE (SSE-SQS) allows you to create custom managed server-side encryption that uses Amazon SQS-managed encryption keys to protect sensitive data that's sent over message queues. Server-side encryption (SSE) allows you to transmit sensitive data in encrypted queues. SSE protects the content of messages in queues using Amazon SQS-managed encryption keys (SSE-SQS) or keys that are managed in AWS KMS (SSE-KMS). For information about managing SSE using the AWS Management Console, see Encryption at rest.

Data encryption at rest

OpenSearch Service domains offer encryption of data at rest, a security feature that helps prevent unauthorized access to your data. The feature uses AWS Key Management Service (AWS KMS) to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys(AES-256) to perform the encryption. For more information, see Encryption of Data at Rest for Amazon OpenSearch Service.

Key management

AWS KMS is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions. For more information, see What is AWS Key Management Service?