Threat Detection in AI Development Environments with AWS SecurityHub

Question

Pulumi · Accepted Answer

AWS SecurityHub is a service that provides a comprehensive view of your security state within AWS and helps you check your environment against security industry standards and best practices. This service is designed to aggregate, organize, and prioritize security alerts – or findings – from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie, as well as from AWS Partner solutions. The findings are then visualized on integrated dashboards, which can be handy especially in AI development environments, where security and compliance are of great importance.

When you use Pulumi to create infrastructure that includes AWS SecurityHub, you're able to define your security and threat detection configuration in code, which can increase the efficiency and reliability of the deployment and management of your cloud resources.

### How to detect threats in AI development environments with AWS SecurityHub

To enable and configure AWS SecurityHub for threat detection in an AI development environment, you need to perform the following steps:

1. **Enable SecurityHub** – Initialize the AWS SecurityHub service in your AWS account.
2. **Define Standards** – Choose and apply security standards, such as CIS AWS Foundations, that you want SecurityHub to adhere to.
3. **Create Custom Insights** - Create custom insights or use existing insights for specific threat detection that pertains to your AI development environment.
4. **Define Actions** – Set up custom actions to take when findings are generated. For example, sending notifications or invoking remediation processes.

Below is a Pulumi Python program illustrating how to set up AWS SecurityHub for an AI development environment.

```python
import pulumi
import pulumi_aws as aws

# Enable AWS SecurityHub
security_hub_account = aws.securityhub.Account("securityHubAccount",
    auto_enable_controls=True,  # Automatically enable new controls as they become available.
    enable_default_standards=True  # Enable the default CIS AWS Foundations security standard.
)

# For documentation, refer to:
# https://www.pulumi.com/registry/packages/aws/api-docs/securityhub/account/

# Define a custom insight for detecting unusual activity (just as an example)
custom_insight = aws.securityhub.Insight("customInsight",
    filters={
        "resourceAwsEc2Instance": {  # You can specify various filters, here we're filtering for EC2 instances
            "typeName": ["t2.micro", "t2.small"],  # Filtering specific instance types used for AI development
        },
        "networkDestinationPort": {  # Monitoring network activities
            "gte": "49152",
            "lte": "65535",
        },
        "severity": {  # Only get alerts with a specific severity
            "gte": "70",  # Severity is a number between 0 and 100, 70 represents high severity
        },
    },
    group_by_attribute="resourceAwsEc2Instance")
    
# For documentation, refer to:
# https://www.pulumi.com/registry/packages/aws/api-docs/securityhub/insight/

# Create an action to take when findings are generated
action_target = aws.securityhub.ActionTarget("sendNotification",
    description="Send SNS notification when a high severity finding is generated",
    name="HighSeverityAlert")

# Create a rule to trigger the defined action on high severity findings
automation_rule = aws_native.securityhub.AutomationRule("highSeverityRule",
    description="Automation rule to trigger SNS notification",
    ruleName="HighSeverityNotification",
    # Define the matching criteria for the automation rule
    criteria={
        "severityLabel": [{
            "value": "HIGH",  # Trigger when the severity label of the finding is 'HIGH'
            "comparison": "EQUALS",
        }],
    },
    # Define the action the automation rule should trigger
    actions=[{
        "type": "INVOKE_SNS",
        "findingFieldsUpdate": {
            "note": {
                "text": "This is a high severity finding requiring immediate attention",
                "updatedBy": "SecurityHubAutomation",
            },
       },
    }])

# For documentation, refer to:
# https://www.pulumi.com/registry/packages/aws-native/api-docs/securityhub/automationrule/

# Export the SecurityHub Account ID and Action Target ARN
pulumi.export("securityHubAccountId", security_hub_account.id)
pulumi.export("actionTargetArn", action_target.arn)
```

In this program, we enabled AWS SecurityHub to monitor the environment, defined a custom insight specific for AI development environment use-cases (like monitoring certain EC2 instance types and network activities), and set up a custom action to notify when high severity findings are generated.

Refer to the AWS SecurityHub documentation for comprehensive insights into all supported features and configurations: [AWS SecurityHub Documentation](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html).

To use the code, you would need to install Pulumi and set up AWS access by configuring the Pulumi AWS provider. The program is expected to run in an environment where AWS credentials are already configured, such as through the AWS CLI or environment variables.