Logging network traffic Centralizing security findings in AWS Integrating AWS security data with other enterprise data

Gaining visibility with observability mechanisms

The ability to view the security events that have occurred is just as important as establishing proper security controls. In the security pillar of the AWS Well-Architected Framework, detection best practices include Configure service and application logging and Capture logs, findings, and metrics in standardized locations. To implement these best practices, you must record the information that helps you identify events and then process that information into a human-consumable format, ideally in a centralized location.

This guide recommends that you use Amazon Simple Storage Service (Amazon S3) to centralize log data. Amazon S3 supports log storage for both AWS Network Firewall and Amazon Route 53 Resolver DNS Firewall. Then, you use AWS Security Hub CSPM and Amazon Security Lake to centralize the Amazon GuardDuty findings and other security findings into a single location.

Logging network traffic

The Automating preventative and detective security controls section of this guide describes using AWS Network Firewall and Amazon Route 53 Resolver DNS Firewall to automate responses to cyber threat intelligence (CTI). We recommend that you configure logging for both of these services. You can create detective controls that monitor the log data and alert you if a restricted domain or IP address tries to send traffic through the firewall.

When configuring these resources, consider your individual logging requirements. For instance, logging for Network Firewall is available only for traffic that you forward to the stateful rules engine. We recommend that you follow a zero-trust model and forward all traffic to the stateful rules engine. However, if you want to reduce costs, you can exclude traffic that your organization trusts.

Both Network Firewall and DNS Firewall support logging to Amazon S3. For more information about setting up logging for these services, see Logging network traffic from AWS Network Firewall and Configuring logging for DNS Firewall. For both services, you can configure logging to an Amazon S3 bucket through the AWS Management Console.

Centralizing security findings in AWS

AWS Security Hub CSPM provides a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices. Security Hub CSPM can generate findings that are associated with your security controls. It can also receive findings from other AWS services, such as Amazon GuardDuty. You can use Security Hub CSPM to centralize findings and data from across your AWS accounts, AWS services, and supported third-party products. For more information about integrations, see Understanding integrations in Security Hub CSPM in the Security Hub CSPM documentation.

Security Hub CSPM also includes automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also use the integration with Amazon EventBridge to initiate automatic responses to specific findings. For more information, see Automatically modifying and acting on Security Hub CSPM findings in the Security Hub CSPM documentation.

If you use Amazon GuardDuty, we recommend that you configure GuardDuty to send its findings to Security Hub CSPM. Security Hub CSPM can then include those findings in its analysis of your security posture. For more information, see Integrating with AWS Security Hub CSPM in the GuardDuty documentation.

For both Network Firewall and Route 53 Resolver DNS Firewall, you can create custom findings from the network traffic that you're logging. Amazon Athena is an interactive query service that helps you analyze data directly in Amazon S3 by using standard SQL. You can construct queries in Athena that scan the logs in Amazon S3 and extract the relevant data. For instructions, see Getting Started in the Athena documentation. Then, you can use an AWS Lambda function to convert the relevant log data into AWS Security Finding Format (ASFF) and send the finding to Security Hub CSPM. The following is a sample Lambda function that converts log data from Network Firewall into a Security Hub CSPM finding:


Import { SecurityHubClient, BatchImportFindingsCommand, GetFindingsCommand } from "@aws-sdk/client-securityhub";

Export const handler = async(event) => {
   const date = new Date().toISOString();
   
   const config = {
      Region: REGION
   };

   const input = {
      Findings: [
         {
            SchemaVersion: '2018-10-08',
            Id: ALERTLOGS3BUCKETID,
            ProductArn: FIREWALLMANAGERARN,
            GeneratorId: 'alertlogs-to-findings',
            AwsAccountId: ACCOUNTID,
            Types: 'Unusual Behaviours/Network Flow/Alert',
            CreatedAt: date,
            UpdatedAt: date,
            Severity: {
               Normalized: 80,
               Product: 8
            },
            Confidence: 100,
            Title: 'Alert Log to Findings',
            Description: 'Network Firewall Alert Log into Finding – add
               top level dynamic detail',
            Resources: [
               {
                  /*these are custom resources. Contain deeper details of your event here*/
                  firewallName: 'Example Name',
                  event: 'Example details here'
               }
            ]
         }
      ]
   };

   const client = new SecurityHubClient(config);
   const command = new BatchImportFindingsCommand(input);
   const response = await client.send(command);
   return { statusCode: 200, response };
};

The pattern that you follow for extracting and sending information to Security Hub CSPM is dependent on your individual business needs. If you need the data to be sent on a regular schedule, you can use EventBridge to initiate the process. If you want to receive an alert when the information is added, you can use Amazon Simple Notification Service (Amazon SNS). There are many ways to approach this architecture, so it's important to properly plan so that your business needs are achieved.

Integrating AWS security data with other enterprise data

Amazon Security Lake can automate the collection of security-related log and event data from integrated AWS services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF). With OCSF support, Security Lake normalizes and combines security data from AWS and a broad range of enterprise security data sources. Other AWS services and third-party services can subscribe to the data that's stored in Security Lake for incident response and security data analytics.

You can configure Security Lake to receive findings from Security Hub CSPM. To activate this integration, you must enable both services and add Security Hub CSPM as a source in Security Lake. Once you complete these steps, Security Hub CSPM begins to send all findings to Security Lake. Security Lake automatically normalizes Security Hub CSPM findings and converts them to OCSF. In Security Lake, you can add one or more subscribers to consume Security Hub CSPM findings. For more information, see Integration with AWS Security Hub CSPM in the Security Lake documentation.

The following video, AWS re:Inforce 2024 - Cyber threat intelligence sharing on AWS, discusses how you can use Security Hub CSPM and Security Lake integrations to share CTI.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Automating security controls

Sharing CTI