Automating Cloud Security Vulnerability Assessment and Alerts with Amazon Bedrock

Introduction

As cloud technologies advance at an unprecedented rate, organizations are integrating advanced solutions to enhance their operations and serve their customers better. Often, enterprises rely on traditional, reactive security measures, which may not be enough to protect against vulnerabilities and attacks from third-party sources.

This blog explores how to automate security vulnerability assessments and alerting within your cloud environment using Amazon GuardDuty, Amazon Bedrock, and other AWS serverless technologies. By implementing proactive monitoring, businesses can detect security risks before they escalate and receive timely alerts with actionable recommendations. Organizations can create a more resilient and secure cloud infrastructure through this approach.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Solution Overview

Solution benefits

The user-friendly omnichannel support system delivers a complete real-time overview of your cloud security status.
Leverage generative AI to dive deep into specific security alerts and vulnerabilities, enabling you to prioritize and respond efficiently.
Receive detailed reports with actionable recommendations, allowing you to address issues before they escalate.

Prerequisites

Enable Amazon GuardDuty to generate security findings in your account.
Grant least-privilege AWS IAM permissions for AWS resources such as AWS Step Functions and AWS Lambda to execute the required actions:

The AWS IAM role for AWS Step Functions must have policies to invoke the Lambda function and publish messages on the Amazon SNS topic.
AWS Lambda function requires the AWSLambdaBasic ExecutionRole to log data and the bedrock:InvokeModel permission.
Modify the Amazon SNS topic access policy to restrict publishing to AWS Step Functions only.

Request access to the Anthropic Claude 3 model on Amazon Bedrock.
Enable server-side encryption for the Amazon SNS topic to ensure encrypted message delivery.

Deploy the solution

On the Amazon EventBridge console, create a new rule for Amazon GuardDuty findings notifications.

step1

In the AWS Lambda console, create an AWS Lambda function that accepts the findings as input and invokes the Amazon Bedrock API to retrieve summaries and mitigation steps from the Anthropic Claude 3 model. The following function uses three configuration parameters:

modelId is set as claude-3-sonnet-20240229-v1:0
findingDetailType is set as GuardDuty finding to filter the payload
source is set as guardduty to only evaluate GuardDuty findings

AWS Lambda Code:

import json

import boto3

import urllib.parse

import os




region = os.environ['AWS_REGION']

model_Id = os.environ['modelId']

finding_detail_type = os.environ['findingDetailType']

finding_source = os.environ['source']




# Bedrock client used to interact with APIs around models

bedrock = boto3.client(service_name='bedrock', region_name= region)




# Bedrock Runtime client used to invoke and question the models

bedrock_runtime = boto3.client(service_name='bedrock-runtime', region_name= region)




evaluator_response = []

max_tokens=512

top_p=1

temp=0.5

system = ""




def lambda_handler(event, context):

    message = ""

    try:

        file_body = json.loads(json.dumps(event))

        print(finding_detail_type)

        print(finding_source)

        if file_body['detail-type'] == finding_detail_type and file_body['source'] == finding_source and file_body['detail']:

            print(f'File contents: {file_body['detail']}')

            description = file_body["detail"]["description"]

            finding_arn = file_body["detail"]["arn"]

            try:

                body= createBedrockRequest(description)

                message = invokeModel(body)

                print(message)

                evaluator_response.append(message)

                evaluator_response.append(finding_arn)

            except Exception as e:

                print(e)

                print('Error calling model')

        else:

            message = "Invalid finding source"

    except Exception as e:

        print(e)

        print('Error getting finding id from the guard duty record')

        raise e

    return message




def createBedrockRequest(description):

    prompt = "You are an expert in troubleshooting AWS logs and sharing details with the user via an email draft as stated in <description>. Do NOT provide any preamble. Draft a professional email summary of details as stated in description. Write the recipient as - User in the email and sender in the email should be listed as - Your Friendly Troubleshooter. Skip the preamble and directly start with subject. Also, provide detailed troubleshooting steps in the email draft." + "<description>" + description + "</description>"

    messages = [{ "role":'user', "content":[{'type':'text','text': prompt}]}]

    body=json.dumps(

             {

                "anthropic_version": "bedrock-2023-05-31",

                "max_tokens": max_tokens,

                "messages": messages,

                "temperature": temp,

                "top_p": top_p,

                "system": system

            }

        )

    return body




def invokeModel(body):

    response = bedrock_runtime.invoke_model(body= body, modelId = model_Id)

    response_body = json.loads(response.get('body').read())

    message = response_body.get('content')[0].get("text")

    return message

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

import json

import boto3

import urllib.parse

import os

region = os.environ['AWS_REGION']

model_Id = os.environ['modelId']

finding_detail_type = os.environ['findingDetailType']

finding_source = os.environ['source']

# Bedrock client used to interact with APIs around models

bedrock = boto3.client(service_name='bedrock', region_name= region)

# Bedrock Runtime client used to invoke and question the models

bedrock_runtime = boto3.client(service_name='bedrock-runtime', region_name= region)

evaluator_response = []

max_tokens=512

top_p=1

temp=0.5

system = ""

def lambda_handler(event, context):

message = ""

try:

file_body = json.loads(json.dumps(event))

print(finding_detail_type)

print(finding_source)

if file_body['detail-type'] == finding_detail_type and file_body['source'] == finding_source and file_body['detail']:

print(f'File contents: {file_body['detail']}')

description = file_body["detail"]["description"]

finding_arn = file_body["detail"]["arn"]

try:

body= createBedrockRequest(description)

message = invokeModel(body)

print(message)

evaluator_response.append(message)

evaluator_response.append(finding_arn)

except Exception as e:

print(e)

print('Error calling model')

else:

message = "Invalid finding source"

except Exception as e:

print(e)

print('Error getting finding id from the guard duty record')

raise e

return message

def createBedrockRequest(description):

prompt = "You are an expert in troubleshooting AWS logs and sharing details with the user via an email draft as stated in <description>. Do NOT provide any preamble. Draft a professional email summary of details as stated in description. Write the recipient as - User in the email and sender in the email should be listed as - Your Friendly Troubleshooter. Skip the preamble and directly start with subject. Also, provide detailed troubleshooting steps in the email draft." + "<description>" + description + "</description>"

messages = [{ "role":'user', "content":[{'type':'text','text': prompt}]}]

body=json.dumps(

{

"anthropic_version": "bedrock-2023-05-31",

"max_tokens": max_tokens,

"messages": messages,

"temperature": temp,

"top_p": top_p,

"system": system

}

)

return body

def invokeModel(body):

response = bedrock_runtime.invoke_model(body= body, modelId = model_Id)

response_body = json.loads(response.get('body').read())

message = response_body.get('content')[0].get("text")

return message

It is essential to apply prompt engineering and adhere to best prompting practices to prevent hallucinations or incoherent responses from the LLM. In our solution, we designed the following prompt to generate responses using the Anthropic Claude 3 Sonnet:

Prompt = “You are an expert in troubleshooting AWS logs and sharing details with the user via an email draft as stated in <description>. Do NOT provide any preamble. Draft a professional email summary of details as stated in description. Write the recipient as – User in the email and sender in the email should be listed as – Your Friendly Troubleshooter. Skip the preamble and directly start with subject. Also, provide detailed troubleshooting steps in the email draft.” + “<description>” + description + “</description>“

3. On the Amazon SNS console, create an SNS topic to send notifications and add the emails of the subscribers.

step3

4. Create a new state machine on the AWS Step Functions console and add the AWS Lambda and Amazon SNS optimized integration.

You must grant AWS IAM permissions to the AWS Step Functions role to allow it to invoke AWS Lambda and Amazon SNS.

step4

The below code shows how to use the AWS Step Functions optimized integration with AWS Lambda and Amazon SNS:

step4b

5. In the Amazon EventBridge console, set the AWS Step Functions state machine as the target for the previously created EventBridge rule.

step5

Test the solution:

Test the configuration by creating sample findings in the Amazon GuardDuty console. The test emails will be triggered based on the volume of the generated findings.

test

The following screenshot shows an email from Amazon SNS regarding a potential security risk in an Amazon Elastic Container Service (Amazon ECS) cluster based on a sample generation. The email includes a summary of the vulnerability and several mitigation steps to address the issue.

test2

The screenshot below is a sample email notification about a potential Bitcoin IP address communication.

test3

Conclusion

In conclusion, this proactive approach allows users to take swift action and address vulnerabilities before they escalate, significantly reducing the risk of data breaches or security incidents. It helps maintain a secure environment within AWS accounts while promoting a culture of proactive security awareness and responsibility.

With clear, actionable recommendations, users can quickly implement necessary fixes, ensuring no issues are overlooked or lost in the system. This proactive security model strengthens the overall security posture of AWS environments and encourages efficient collaboration and accountability within the organization, leading to a more secure and responsive infrastructure.

Drop a query if you have any questions regarding Amazon Bedrock and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. What role does Amazon Bedrock play in security assessments?

ANS: – Amazon Bedrock integrates with the Anthropic Claude 3 Sonnet model to process security findings, generating concise summaries and providing actionable troubleshooting steps. This helps organizations prioritize and address security vulnerabilities proactively.

2. How does Amazon EventBridge facilitate the solution?

ANS: – Amazon EventBridge is a central event bus that captures GuardDuty findings and routes them to AWS Step Functions. This triggers AWS Lambda functions to process the findings and sends notifications through Amazon SNS, enabling automated responses to security risks.

WRITTEN BY Aayushi Khandelwal

Aayushi, a dedicated Research Associate pursuing a Bachelor's degree in Computer Science, is passionate about technology and cloud computing. Her fascination with cloud technology led her to a career in AWS Consulting, where she finds satisfaction in helping clients overcome challenges and optimize their cloud infrastructure. Committed to continuous learning, Aayushi stays updated with evolving AWS technologies, aiming to impact the field significantly and contribute to the success of businesses leveraging AWS services.