Workshop Instructions

This workshop is designed to give you an introduction and then take you deeper into AWS threat detection and response services use cases, best practices, and specific scenarios. This workshop starts with an introduction to services and then focuses on advanced topics of threat detection and response with modules focusing on multi-service solutions, integrations, custom orchestration examples, and examples of responding to specific detections. All of this is designed to prepare you and help you operate more securely on AWS.

Available labs

Introduction to Threat Detection and Response Services

ModuleTopicLevelServices
AWS Security Hub
2.1.1Security Hub - Overview100Security Hub
2.1.2Security Hub - Dashboard100Security Hub
2.1.3Security Hub - Findings100Security Hub
2.1.4Security Hub - Pricing100Security Hub
2.1.5Security Hub - Notifications100Security Hub
Amazon GuardDuty
2.2.1GuardDuty - Overview100GuardDuty
2.2.2GuardDuty - Findings100GuardDuty
2.2.3GuardDuty - Protection plans100GuardDuty
2.2.4GuardDuty - Building your own threat list100GuardDuty
2.2.5GuardDuty - Suppressing findings100GuardDuty
2.2.6GuardDuty - Pricing100GuardDuty
2.2.7GuardDuty - Simple notifications100GuardDuty
2.2.8GuardDuty - Retaining findings100GuardDuty
Amazon Inspector
2.3.1Inspector - Overview100Inspector
2.3.2Inspector - Dashboard100Inspector
2.3.3Inspector - Findings100Inspector
2.3.4Inspector - Vulnerability database search100Inspector
2.3.5Inspector - Suppressing findings100Inspector
2.3.6Inspector - Pricing100Inspector
Amazon Detective
2.4.1Detective - Overview100Detective
2.4.2Detective - Summary100Detective
2.4.3Detective - Search100Detective
2.4.4Detective - Investigations100Detective
2.4.5Detective - Finding Groups100Detective
2.4.6Detective - Pricing100Detective
2.4.7Detective - EKS Audit Logs100Detective

Integrating AWS Services and Partner Solutions

ModuleTopicLevelServices
3.1Centralizing findings from AWS security services100Security Hub, GuardDuty
3.2Aggregating findings from multiple AWS accounts100
3.3Centralizing findings from AWS partner solutions100Security Hub
3.4Cross-region finding aggregation200Security Hub
3.5Building your own Security Hub integration100Security Hub

Managing and Prioritizing Security Findings

ModuleTopicLevel
4.1Prioritizing findings at scale with automations100
4.2Suppressing findings at scale with automations100
4.3Using insights for prioritization and metrics200

Automating Notifications and Response

ModuleTopicLevelServices
5.1Setting up notifications200Security Hub
5.2Set up a weekly vulnerability summary email300Security Hub, Inspector
5.3Automated Security Response on AWS200Security Hub
5.4Building your own automated response300Security Hub, GuardDuty
5.5Enriching security findings with investigative data400Security Hub, GuardDuty, Detective

Security Simulations and Scenarios

ModuleTopicLevelServices
6.1Respond to IAM Role credential exfiltration300GuardDuty
6.2Respond to a compromised S3 Bucket300GuardDuty
6.3Respond to compromised IAM credentials300GuardDuty, Detective
6.4Respond to a Lambda function calling malicious IP300GuardDuty
6.5Respond to Malware on Amazon Elastic Block Store200GuardDuty
6.6Respond to a compromised EC2 instance200GuardDuty, Detective

Software Vulnerability Management

ModuleTopicLevelServices
7.1Patching EC2 with Patch Manager300Inspector, Systems Manager
7.2Vulnerability management for serverless applications300Inspector
7.3Integrating Amazon Inspector into a CI/CD pipeline300Inspector