- [Hong] You know, as our bee:Mars are getting more popular, more and more bad aliens out there are secretly looking for a weak spot in our infrastructure. As we're getting smarter in running and securing bee:Mars, we want to use automation and machine learning to detect and react when suspicious events happen to our environment, which can be caused by bad aliens. And, that's why we need to talk about Amazon GuardDuty. Amazon GuardDuty is a threat-detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and resources. This service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. You can aggregate GuardDuty findings across multiple accounts. You can also integrate GuardDuty with AWS CloudWatch Events or your current event management system to alert your security team, a.k.a., to share your bees. Amazon GuardDuty provides three severity levels - low, medium, and high - to help you prioritize responses to potential threats. A low severity level indicates suspicious or malicious activity that was blocked before it compromised your resource. A medium severity level indicates suspicious activity. For example, a large amount of traffic being returned to a remote host that is behind a hidden network. A high severity level indicates that the resource in question is compromised and is being actively used for unauthorized purposes. An example of this could be that an EC2 instance has been compromised or a set of IAM user credentials has been stolen. Ooh, bad actor. So, now you can use GuardDuty to detect threats. How about responding to these findings? Amazon GuardDuty offers HTTPS APIs, CLI tools, and Amazon CloudWatch Events to support automated security responses to security findings. For example, let's say GuardDuty detects an EC2 security group that accept traffic from everywhere in the internet. You can automate the response workflow by letting GuardDuty send the findings to CloudWatch Events as an event source to trigger an AWS Lambda function to update the security group. So, are we done yet? Not really. Let's talk about how you can see all of the security alerts and compliance status across AWS accounts in one central place. Entering Security Hub. With Security Hub, you now have a single place that aggregates, organizes, and prioritizes your security alerts or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, as well as from AWS partner solutions. Your findings are visually summarized on integrated dashboards with actionable graphs and tables. You can also continuously monitor your environment using automated compliance check based on the AWS best practices and industry standards that your organization follows. So, that's it for this week, folks. I'll see you again next week.