|
Today I am pleased to announce that the Amazon Guardduty Disposal with augmented coverage for Amazon Elastic Kubernetes Service (Amazon EKS), builds on the capacities we introduced in our AWS Re: Invent 2024 Anna the beginning of Amazon Guardduty Detection: Security.
Security teams managing workload Kubernetes often try to detect sophisticated multi -stage attacks that target container applications. These attacks may include exploitation of containers, authorization and unauthorized movement in Amazon EKS clusters. Traditional monitoring approaches can detect individual suspicious events, but often missing a Broade attack formula that includes these different data sources and time periods.
The extended threat detection introduces a new type of critical severity search that automatically correlates safety signals across Audit Audit protocols, running processes associated with EC clusters, Malware in EKS clusters, and AWS activity to identify sophisticated attack formulas that could otherwise be disinforced. For example, Guardduts can now detect offensive sequences in which the actor uses the container application, acquires the tokens of a privileged service account, and then uses these increased authorizations to access sensitive or AWS resources.
This new capacity uses correlation algorithms of the guardians to observe and identify sequences of actions that show a potential compromise. It evaluates findings across protection plans and other signal sources to identify common and emerging attack formulas. For each detected sequence of attack, the COMPLECT GUARDDUTY provides detail, including sources of potential impacts, event timelines, participating actors and indicators used to detect the sequence. The findings also map the observed activities for a change in tactics and techniques and remedy recommendations based on the proven AWS practices and help security teams understand the nature of the threat.
If you want to enable extended threat detection for EC, you need at least one of these functions: ECS protection or Runtime monitoring. For maximum detection coverage, we recommended to enable both to increase the detection capacity. Protection of EKS monitors the activities of the control plane through audit protocols and monitoring running observes behavior in containers. Together they create a complete view of your ECS clusters, allowing the Guardduts to detect complex attack formulas.
How does it work
To use the new Amazon Guardduty detection to detect threats for EKS clusters, go to the Guardduta console, and allow EKS protection at birth from the region’s selector in the upper right corner, select an area where you want to allow EKS protection. Select in the navigation pane Ecs protection. On Ecs protection Page, check the current status and select Enable. Choose Confirmation Save a selection.
After allowed, the Guarddutes will begin to monitor the Audit protocols of the EKS audit from your EKS clusters without required to configure. The Guardduts consume these audit protocols directly from the EKS control plane through an independent current that does not affect any existing logging configurations. For an environment with multiple sums, only an account of the delegated guard administrator can enable or deactivate ECS protection for membership accounts and configure the automatic permit settings for new accounts that connect to the organization.
Allow Runtime monitoringchoose Runtime monitoring In the navigation pane. Under Configuration Tab, choose Enable Allow to monitor Runtime for your birth.
Now you can see from Summary Dashboard attack sequence and critical findings specifically related to the compromise of cluster Kubernetes. You can observe that Guardduts have identified complex Kubernetes attacks around, such as compromise events and suspicious activities in EKS clusters. The visual representation of the detection, the impact of resources and the types of attacks gives you a holistic view of Amazon ECS security. This means that you can prefer the most critical threats for your containerized workload.
Tea Finding details The site provides a sequence of ECS cluster attacks to help you understand the full range of potential compromises. Guardduty correlates signals into the timeline, mapping of observed behavior on tactics and technology and technology atT and CKĀ®, such as manipulation with account, resource kidnapping and eskaling of privileges. This granulalalar insight level shows exactly how Atackers progresses through the Amazon ECS environment. Identified influenced sources such as EKS workload and service accounts. The detailed disorders of the indicators, actors and endpoints provide you with a context that can be understood to understand the patterns of the attack, determine the impact and prefer to remedy. By consolidating these safety insights, you can quickly assess the severity of Amazon ECS security incidents, shorten the investigation and implement targeted countermeasures to protect your container applications.
Tea Resources Part Finding details The page shows the context of specific assets affected during the attack sequence. This unified source list provides you with visibility to the exact compromise range – from the initial approach to the targeted Kubernetes component. Becuse Guardduty includes detailed attributes from sources, identifiers, data creation data and information information, you can quickly assess that the components of your containerized infrastructure require immense attention. This focused approach eliminates guessing during the incident response, so you can prefer remediation efforts on the most critical resources and minimize the potential radius of Amazon ECS explosion.
Now available
Amazon Guardduty has extended the threat detection with extended covers for Amazon EKS clusters Provaders Cospress Compice Safety signs within the Kubernetes environment. You can use this ability to detect sophisticated multi -stage attacks by correlated events across different data sources and identify attack sequences that traditional monitoring could be missing.
If you want to start using this widespread coverage, enable ECS protection in the guard settings, and consider adding Runtime monitoring for increased detection capacity.
For more information about this new abilities, FER in Amazon Guardduty documentation.
– Esra