Managing Threat Detection with Amazon GuardDuty

    For those unfamiliar with Amazon GuardDuty, it is a fully managed, intelligent threat-detection service, powered by machine learning, that continually provides insights into unusual and/or unexpected behavioral patterns within your account that could be considered malicious. Amazon GuardDuty can process and analyze millions of events captured through your AWS CloudTrail, DNS, and VPC Flow Logs from a single account or multiple accounts. These events are then referenced against numerous threat detection feeds, many of which contain known sources of malicious activity, including specific URLs and IP addresses.

    Amazon GuardDuty is continually learning, based on the day-to-day operations within your account, to differentiate between normal behavior and what could be considered abnormal behavior, allowing it to effectively indicate a threat within your infrastructure. This behavioral-based analysis allows GuardDuty to detect potential interactions and connectivity with unknown or unusual sources.

    Being an always-on service, GuardDuty provides a very effective method of automatically identifying security issues without impacting performance. The service runs entirely on the AWS infrastructure without needing local agents. Any findings by Amazon GuardDuty are presented to you in the form of a list of priorities based on the results.

    There are no upfront costs to enable GuardDuty. It can intelligently detect security threats without hindering the performance of your infrastructure, regardless of size, and provide centralized management by aggregating data from multiple AWS accounts. These factors make GuardDuty a very effective tool to protect your AWS resources and any stored data.

    GuardDuty installs in your account in a one-click manner. This means there are no extra applications to install or agents to deploy on the network. It simply starts monitoring your environment once you enable the service.

Key Features of GuardDuty

As a managed threat detection service, GuardDuty provides the following key features:

• One-click activation with no impact on either architecture or performance

• Constant monitoring of your AWS resources and accounts, including users and roles

• Global coverage with results categorized regionally

• The ability to detect intel-based known threats

• The ability to detect behavior-based unknown threats through machine learning

• The ability to manage security across accounts, using a single security account through linking so that the security team can see all threats in a single place Now that you have an idea of the key features that GuardDuty offers, the next sections will help you dive deeper into those features.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Amazon Cognito Identity pools

    The second primary component of Amazon Cognito is identity pools. These pools serve as a means to access AWS services by providing the necessary credentials. Through an identity pool, you can generate unique identities for your users, granting them temporary access credentials to AWS services.

Examining the workflow depicted in Figure 15.2, you will observe that the user initiates the login process (typically through an application on their device) using a web-based IdP. After successful authentication with the web IdP, a GetId request is sent to Amazon Cognito for validation.

Subsequently, the application proceeds with a GetCredentialsForIdentity request. Cognito, once again, validates this request. At this stage, Cognito communicates with Security Token Service (STS), obtaining a short-lived token for the authorized services associated with the application. Finally, Cognito returns the acquired token to the application, as illustrated in the following diagram:

Figure : Authorization flow of a Cognito identity pool

Thant Zin Phyo@Cracky (MCT, MCE, MVP)

Important announcement for Microsoft IT Professionals!

 Starting March 30, 2024, Microsoft will deprecate the following three PowerShell modules:

1. Azure AD
2. Azure AD-Preview
3. MS Online

How this will affect your organization:

This change will affect your organization if you use any of these PowerShell modules.

What you need to do to prepare:

If you are currently using any of the deprecated modules, you will need to take action before March 30, 2024.
Create a list of your scripts and upgrade them to Microsoft Graph APIs and Microsoft Graph PowerShell SDK to ensure continued support and functionality.

What happens after March 30, 2024:

After this date, the only support offered for these PowerShell modules will be support in migrating to Microsoft Graph PowerShell SDK. Only security fixes will be offered for these PowerShell modules after deprecation is announced. Once these modules are deprecated, they will continue to work for a minimum of six (6) months before being retired.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)