Skip to content

Chebis26/aws-security-hub

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
lambda/incident-response
lambda/incident-response
 
 
terraform
terraform
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

AWS Security Operations Center

AWS Terraform License

Production-grade AWS security operations implementation covering GuardDuty threat detection, Security Hub findings aggregation, Inspector vulnerability management, Macie data classification, and automated incident response via Lambda and EventBridge.

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    Security Tooling Account                      │
│                                                                  │
│  ┌─────────────┐  ┌─────────────┐  ┌──────────┐  ┌─────────┐  │
│  │ GuardDuty   │  │  Inspector  │  │  Macie   │  │ Config  │  │
│  │ (delegated) │  │ (org-wide)  │  │(S3 scan) │  │  Rules  │  │
│  └──────┬──────┘  └──────┬──────┘  └────┬─────┘  └────┬────┘  │
│         └────────────────┴──────────────┴──────────────┘        │
│                              │                                   │
│                    ┌─────────▼──────────┐                        │
│                    │    Security Hub     │                        │
│                    │  (CSPM dashboard)  │                        │
│                    └─────────┬──────────┘                        │
│                              │ EventBridge                       │
│              ┌───────────────┼───────────────┐                  │
│              ▼               ▼               ▼                  │
│       ┌──────────┐  ┌──────────────┐  ┌──────────┐             │
│       │  Lambda  │  │  SNS/Slack   │  │   JIRA   │             │
│       │ Auto-    │  │  Alerting    │  │  Ticket  │             │
│       │ Remediate│  └──────────────┘  └──────────┘             │
│       └──────────┘                                              │
└─────────────────────────────────────────────────────────────────┘

Features

  • GuardDuty — ML-based threat detection across all org accounts, centralized findings
  • Security Hub — CIS AWS Foundations, AWS Foundational Security Best Practices, PCI DSS
  • Inspector — Continuous EC2, Lambda, and ECR vulnerability scanning
  • Macie — S3 sensitive data discovery and classification
  • Automated Response — Lambda auto-remediation for critical findings
  • EventBridge Rules — Route findings to Slack, PagerDuty, JIRA, and SNS
  • Config Rules — 47 managed rules with automated remediation SSM documents
  • Detective — Visual investigation of security findings

Automated Remediation Playbooks

Finding Auto-Remediation
UnauthorizedAccess:IAMUser/MaliciousIPCaller Disable IAM user, alert security team
CryptoCurrency:EC2/BitcoinTool Isolate instance, snapshot, notify
Stealth:S3/ServerAccessLoggingDisabled Re-enable server access logging
Policy:IAMUser/RootCredentialUsage Alert immediately, require MFA re-auth
UnauthorizedAccess:EC2/SSHBruteForce Add NACL deny rule, update WAF
Backdoor:EC2/C&CActivity Isolate to quarantine SG, capture memory

Quick Start

cd terraform/environments/prod
terraform init
terraform plan
terraform apply

Compliance Benchmarks

  • CIS AWS Foundations Benchmark v1.4
  • AWS Foundational Security Best Practices
  • NIST SP 800-53
  • PCI DSS 3.2.1
  • SOC 2 Type II controls

License

MIT License

About

AWS Security Operations: GuardDuty, Security Hub, Inspector, Macie, automated incident response with Lambda and EventBridge

Topics

aws security lambda inspector incident-response devsecops guardduty security-hub macie

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages