By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM PoliciesAmazon ECRRDS Event Subscriptions

By Service Protected

Configuration Packages

Strategy Guides

Other

AWS Threat Detection Services

A configuration package to enable AWS threat detection services: 

  • Amazon GuardDuty: Continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. 
  • Amazon Inspector: An automated security assessment service that helps improve the security and compliance of applications deployed on EC2 instances. By default,  the Common Vulnerabilities and Exposures (CVE) package is configured to run against all EC2 instances, every Saturday at Midnight. Other configuration packages and more settings can be customized below.
  • AWS Security Hub: Provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. The CIS AWS Foundations compliance standard is enabled by default.

In addition to the above services, the following additional configuration can be enabled:

  • Email Notifications: Enable notifications for GuardDuty and Security Hub using CloudWatch Event Rules and SNS.
  • Security Hub Prerequisites: To enable Compliance Standards in Security Hub (e.g. CIS AWS Foundations), AWS Config must be enabled as well.

Items
11
Size
10.1 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  GuardDuty:
    Type: "AWS::GuardDuty::Detector"
    Properties:
      Enable: true
      DataSources:
        S3Logs:
          Enable: true
  CwEventAutoAssessment:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "InspectorScheduledAssessment"
      Description: "Scheduled trigger for Amazon Inspector Assessment: "
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "AssessmentTemplate"
          Id: "AmazonInspectorAssessment"
          RoleArn:
            Fn::GetAtt:
              - "AutoAssessmentIamRole"
              - "Arn"
      ScheduleExpression: "cron(00 00 ? * SAT *)"
  AssessmentTarget:
    Type: "AWS::Inspector::AssessmentTarget"
    Properties:
      AssessmentTargetName: "Amazon Inspector Targets"
  AssessmentTemplate:
    Type: "AWS::Inspector::AssessmentTemplate"
    Properties:
      AssessmentTargetArn:
        Ref: "AssessmentTarget"
      DurationInSeconds: 3600
      RulesPackageArns:
        - Fn::FindInMap:
            - "RulePackageArn"
            - Ref: "AWS::Region"
            - "CVE"
  AutoAssessmentIamRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "AWS_InspectorEvents_Invoke_Assessment_TemplateIqk"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "events.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns: []
      Policies:
        - PolicyName: "InspectorAssessmentTrigger"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "inspector:StartAssessmentRun"
                Resource: "*"
  SecurityHub:
    Type: "AWS::SecurityHub::Hub"
    Properties: {}
  SnsTopic1:
    Type: "AWS::SNS::Topic"
    Properties:
      Subscription:
        - Endpoint: "email@example.com"
          Protocol: "email"
      TopicName: "sns-topic"
  CwEvent1:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-securityhub-finding"
      Description: "A CloudWatch Event Rule that triggers on AWS Security Hub findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic1"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "Security Hub Findings - Imported"
        source:
          - "aws.securityhub"
  SnsTopicPolicyCwEvent1:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopic1"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopic1"
      Topics:
        - Ref: "SnsTopic1"
  CwEvent2:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-guardduty-finding"
      Description: "A CloudWatch Event Rule that triggers on Amazon GuardDuty findings. The Event Rule can be used to trigger notifications or remediative actions using AWS Lambda."
      State: "ENABLED"
      Targets:
        - Arn:
            Ref: "SnsTopic1"
          Id: "target-id1"
      EventPattern:
        detail-type:
          - "GuardDuty Finding"
        source:
          - "aws.guardduty"
  SnsTopicPolicyCwEvent2:
    Type: "AWS::SNS::TopicPolicy"
    Properties:
      PolicyDocument:
        Statement:
          - Sid: "__default_statement_ID"
            Effect: "Allow"
            Principal:
              AWS: "*"
            Action:
              - "SNS:GetTopicAttributes"
              - "SNS:SetTopicAttributes"
              - "SNS:AddPermission"
              - "SNS:RemovePermission"
              - "SNS:DeleteTopic"
              - "SNS:Subscribe"
              - "SNS:ListSubscriptionsByTopic"
              - "SNS:Publish"
              - "SNS:Receive"
            Resource:
              Ref: "SnsTopic1"
            Condition:
              StringEquals:
                AWS:SourceOwner:
                  Ref: "AWS::AccountId"
          - Sid: "TrustCWEToPublishEventsToMyTopic"
            Effect: "Allow"
            Principal:
              Service: "events.amazonaws.com"
            Action: "sns:Publish"
            Resource:
              Ref: "SnsTopic1"
      Topics:
        - Ref: "SnsTopic1"
Parameters: {}
Metadata: {}
Conditions: {}
Mappings:
  RulePackageArn:
    us-west-2:
      CVE: "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-9hgA516p"
      CIS: "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-H5hpSawc"
      Network: "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-rD1z6dpl"
      Security: "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-JJOtZiqQ"
      Runtime: "arn:aws:inspector:us-west-2:758058086616:rulespackage/0-vg5GGHSD"
    us-east-1:
      CVE: "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gEjTy7T7"
      CIS: "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-rExsr2X8"
      Network: "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-PmNV0Tcd"
      Security: "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-R01qwB5Q"
      Runtime: "arn:aws:inspector:us-east-1:316112463485:rulespackage/0-gBONHN9h"
    us-east-2:
      CVE: "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-JnA8Zp85"
      CIS: "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-m8r61nnh"
      Network: "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-cE4kTR30"
      Security: "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-AxKmMHPX"
      Runtime: "arn:aws:inspector:us-east-2:646659390643:rulespackage/0-UCYZFKPV"
    us-west-1:
      CVE: "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TKgzoVOa"
      CIS: "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-xUY8iRqX"
      Network: "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-TxmXimXF"
      Security: "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-byoQRFYm"
      Runtime: "arn:aws:inspector:us-west-1:166987590008:rulespackage/0-yeYxlt0x"
    ap-south-1:
      CVE: "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-LqnJE9dO"
      CIS: "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-PSUlX14m"
      Network: "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-YxKfjFu1"
      Security: "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-fs0IZZBj"
      Runtime: "arn:aws:inspector:ap-south-1:162588757376:rulespackage/0-EhMQZy6C"
    ap-southeast-2:
      CVE: "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-D5TGAxiR"
      CIS: "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-Vkd2Vxjq"
      Network: "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-FLcuV4Gz"
      Security: "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-asL6HRgN"
      Runtime: "arn:aws:inspector:ap-southeast-2:454640832652:rulespackage/0-P8Tel2Xj"
    ap-northeast-2:
      CVE: "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoGHMznc"
      CIS: "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-T9srhg1z"
      Network: "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-s3OmLzhL"
      Security: "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-2WRpmi4n"
      Runtime: "arn:aws:inspector:ap-northeast-2:526946625049:rulespackage/0-PoYq7lI7"
    ap-northeast-1:
      CVE: "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT"
      CIS: "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu"
      Network: "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-YI95DVd7"
      Security: "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
      Runtime: "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
    eu-west-1:
      CVE: "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-ubA5XvBh"
      CIS: "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-sJBhCr0F"
      Network: "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SPzU33xe"
      Security: "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-SnojL3Z6"
      Runtime: "arn:aws:inspector:eu-west-1:357557129151:rulespackage/0-lLmwe1zd"
    eu-central-1:
      CVE: "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-wNqHa8M9"
      CIS: "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-nZrAVuv8"
      Network: "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-6yunpJ91"
      Security: "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-ZujVHEPB"
      Runtime: "arn:aws:inspector:eu-central-1:537503971621:rulespackage/0-0GMUM6fg"
    us-gov-east-1:
      CVE: "arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-3IFKFuOb"
      CIS: "arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-pTLCdIww"
      Security: "arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-vlgEGcVD"
      Runtime: "arn:aws-us-gov:inspector:us-gov-east-1:206278770380:rulespackage/0-850TmCFX"
    us-gov-west-1:
      CVE: "arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-4oQgcI4G"
      CIS: "arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-Ac4CFOuc"
      Security: "arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-rOTGqe5G"
      Runtime: "arn:aws-us-gov:inspector:us-gov-west-1:850862329162:rulespackage/0-JMyjuzoW"

Actions



Customize Template

Configuration Presets

Resource Settings

EDIT
EDIT
EDIT
EDIT
EDIT
EDIT
EDIT