基于AWS Endpoint Security(EPS)的全天候威胁检测与响应闭环管理

设计AWS云架构方案实现基于AWS Endpoint Security(EPS)的全天候威胁检测与响应，使用EPS通过代理实时监控终端进程、网络连接等行为，例如检测异常登录尝试或恶意软件活动。一旦发现威胁，系统会自动生成安全事件工单并触发响应流程，如隔离受感染实例或阻断可疑IP，实现从检测到处置的闭环管理，以及具体实现的详细步骤和关键代码。

可以设计方案通过AWS原生服务实现安全威胁的实时检测、自动响应和闭环管理，结合事件驱动架构确保快速处置，同时保持架构的可扩展性和安全性。实际部署时需根据业务需求调整安全策略阈值和响应动作。

一、架构设计

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GE92ZUh4-1742609539568)(https://example.com/aws-security-arch.png)]

1. 数据采集层

   • SSM Agent & CloudWatch Agent
   • VPC Flow Logs
   • GuardDuty威胁检测

2. 分析层

   • Amazon GuardDuty（异常行为分析）
   • Lambda自定义检测规则

3. 响应层

   • AWS Systems Manager Automation
   • Lambda响应函数
   • Security Group/Network ACL更新

4. 管理平台

   • AWS Security Hub（事件聚合）
   • ServiceNow/Jira工单系统集成

二、详细实施步骤

步骤1：环境准备

# 创建隔离专用安全组
aws ec2 create-security-group --group-name "Isolation-SG" \
--description "Security group for infected instances"

# 创建事件记录DynamoDB表
aws dynamodb create-table \
    --table-name SecurityIncidents \
    --attribute-definitions AttributeName=IncidentID,AttributeType=S \
    --key-schema AttributeName=IncidentID,KeyType=HASH \
    --billing-mode PAY_PER_REQUEST

步骤2：部署终端监控

# SSM Agent安装（Amazon Linux2）
name: InstallSSMAgent
description: Install and configure SSM Agent
schemaVersion: '2.2'
mainSteps:
  - name: installSsmAgent
    action: aws:runShellScript
    inputs:
      runCommand:
        - sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm
        - sudo systemctl enable amazon-ssm-agent
        - sudo systemctl start amazon-ssm-agent

步骤3：配置威胁检测

# GuardDuty自定义威胁列表（Python SDK）
import boto3

client = boto3.client('guardduty')
response = client.create_threat_intel_set(
    DetectorId='00a0b0c0d0e0f0a0b0c0d0e0f0a0b0c0',
    Name='MaliciousIPs',
    Location='https://example.com/malicious-ips.txt',
    Format='TXT',
    Activate=True
)

步骤4：事件响应自动化

# Lambda自动响应函数（Python）
import boto3
from datetime import datetime

def lambda_handler(event, context):
    # 解析GuardDuty事件
    detail = event['detail']
    instance_id = detail['resource']['instanceDetails']['instanceId']
    threat_type = detail['type']
    
    # 执行实例隔离
    ec2 = boto3.client('ec2')
    isolation_sg = 'sg-0a1b2c3d4e5f6g7h8'
    
    # 记录原始安全组
    original_sgs = ec2.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]['SecurityGroups']
    
    # 更换安全组
    ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=[isolation_sg]
    )
    
    # 记录到DynamoDB
    dynamodb = boto3.resource('dynamodb')
    table = dynamodb.Table('SecurityIncidents')
    table.put_item(Item={
        'IncidentID': context.aws_request_id,
        'InstanceID': instance_id,
        'ThreatType': threat_type,
        'OriginalSGs': [sg['GroupId'] for sg in original_sgs],
        'IsolationTime': datetime.now().isoformat(),
        'Status': 'Quarantined'
    })
    
    # 创建ServiceNow工单
    create_service_now_ticket(instance_id, threat_type)
    
    return {'statusCode': 200}

def create_service_now_ticket(instance_id, threat_type):
    snow_url = "https://your-instance.service-now.com/api/now/table/incident"
    headers = {
        "Content-Type": "application/json",
        "Authorization": "Basic "+base64.b64encode("username:password".encode()).decode()
    }
    data = {
        "short_description": f"AWS Security Alert: {threat_type}",
        "description": f"Instance {instance_id} quarantined due to {threat_type}"
    }
    requests.post(snow_url, json=data, headers=headers)

步骤5：网络层防御

# 自动阻断恶意IP（Python）
def block_malicious_ip(ip):
    ec2 = boto3.client('ec2')
    
    # 获取默认NACL
    nacl = ec2.describe_network_acls(Filters=[{'Name':'default','Values':['true']}])['NetworkAcls'][0]
    
    # 创建拒绝规则
    ec2.create_network_acl_entry(
        NetworkAclId=nacl['NetworkAclId'],
        RuleNumber=150,
        Protocol='-1',
        RuleAction='deny',
        Egress=False,
        CidrBlock=f"{ip}/32",
        PortRange={'From':0,'To':65535}
    )

步骤6：安全事件可视化

# 启用Security Hub聚合数据
aws securityhub enable-security-hub
aws securityhub enable-import-findings-for-product \
    --product-arn arn:aws:securityhub:us-west-2::product/aws/guardduty

三、关键配置要点

1. IAM角色权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:CreateNetworkAclEntry"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "dynamodb:PutItem",
            "Resource": "arn:aws:dynamodb:*:*:table/SecurityIncidents"
        }
    ]
}

2. EventBridge规则模式

{
  "source": ["aws.guardduty"],
  "detail-type": ["GuardDuty Finding"],
  "detail": {
    "severity": [{"numeric": [">=", 7]}]
  }
}

四、验证测试流程

1. 模拟攻击测试

# 生成异常登录尝试
ncrack -v -u ec2-user -P password_list.txt ec2-xx-xx-xx-xx.compute-1.amazonaws.com

# 触发恶意IP检测
curl http://malicious-domain.com/testpayload

2. 验证自动响应

# 检查实例安全组变更
aws ec2 describe-instances --instance-id i-0123456789abcdef0

# 查看DynamoDB记录
aws dynamodb scan --table-name SecurityIncidents

# 验证ServiceNow工单创建

五、优化建议

1. 防御纵深增强

• 集成WAF阻断应用层攻击
• 启用Amazon Inspector进行漏洞扫描
• 配置AWS Config实现合规监控

2. 误报处理机制

• 设置审批工作流（Step Functions）
• 实现自动白名单功能
• 集成Amazon Detective进行根因分析

3. 性能优化

• 设置Lambda并发限制
• 使用ElastiCache缓存常用数据
• 启用X-Ray进行调用链跟踪