Technology components: Managed Intrusion Prevention System (IPS), Distributed Denial of Service (DDoS) Mitigation • AWS Network Firewall’s intrusion prevention system (IPS) o Provides active traffic flow inspection with real-time network and application layer protections against vulnerability exploits and brute force attacks. o Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies. • Amazon GuardDuty o Provides accurate threat detection of compromised accounts, which can be difficult to detect quickly if you are not continuously monitoring factors in near real-time. o Can detect signs of account compromise, such as AWS resource access from an unusual geo-location at an atypical time of day. o Checks for unusual application programming interface (API) calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address. o Continuously monitors and analyzes AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs. o Can aggregate threat detection instead of working on an account-by-account basis. o Supports automated security responses to security findings. o Automatically manage resource utilization based on the overall activity levels within your AWS accounts, workloads, and data stored in Amazon S3. o Adds detection capacity only when necessary, and reduces utilization when capacity is no longer needed. • AWS Shield Standard o Provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time. o Sets static thresholds for each AWS resource type. o Automated mitigation techniques give underlying AWS services protection against common, frequently occurring infrastructure attacks. • AWS Shield Advanced o Provides customized detection based on traffic patterns to your protected Elastic IP address, ELB, CloudFront, Global Accelerator, and Route 53 resources. o Uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation o Detect attacks impacting the health of your application more quickly and at lower traffic thresholds, improving the DDoS resiliency of your application and preventing false positive notifications. o Provides more sophisticated automatic mitigations for attacks targeting your applications running on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources o Automatically deploys additional mitigation capacity to protect your application against DDoS attacks o Can automatically protect web applications by mitigating application layer (L7) DDoS events with no manual intervention needed o Bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit