Common DDoS Layer 4 attacks
SYN floods or NTP amplification attacks
Common DDoS Layer 7 attacks
Floods of GET/POST requests
What CloudTrail Allows
- After-the-fact incident investigation
- Near real-time intrusion detection
- Industry and regulatory compliance
What is CloudTrail
It’s basically CCTV for your AWS account. It logs all API calls made to your AWS account and stores these logs in S3
Against attacks in which layers does Shield protect from?
Shield protects against Layer 3 and Layer 4 attacks only.
What’s Shield used for?
It’s used for DDoS mitigation or protection against Layer 3 and Layer 4 attacks
Shield Advanced cost and advantages
Advanced costs $3.000 USD a month but will give you a dedicated 24/7 DDoS response team
In which layer does WAF operate?
WAF operates at layer 7
What kind of attacks can WAF block?
- Layer 7 DDoS attacks as well as things like SQL injections and cross-site scripting.
- If you need to block access to specific countries or IP addresses you can also achieve this using WAF
Can I block access to specific countries or IP addresses using WAF?
Yes
What does WAF allow?
- Allow all requests except the ones you specify
- Block all requests except the ones you specify
- Count the requests that match the properties you specify
What is Amazon GuardDuty?
GuardDuty is a threat detection service that uses machine learning to continuously monitor for malicious behaviour.
What does GuardDuty do?
- Updates a database of known malicious domains using external deeds from third parties.
- Monitors CloudTrail logs, VPC Flow Logs, and DNS logs.
- Findings appear in the GuardDuty dashboard. CloudWatch Events can be used to trigger a Lambda function to address a threat.
What is Macie?
- Macie uses AI to analise data in S3 and helps identify PII, PHI and financial data.
- Great for HIPAA and GDPR compliance as well as preventing identity theft.
- Macie alerts can be sent to Amazon EventBridge and integrated with your event management systems.
- Automate remediation actions using other AWS services such as Step Functions.
What is Inspector?
It’s used to perform vulnerability scans on both EC2 instances and VPCs: Host assessments and network assetstments. You can run these once or, alternatively, weekly.
