← Back to integrations
SIEM
AWS Security Lake
Trusteed enriches AWS Security Lake & Security Hub with IP risk scores and categories, filtering noise and surfacing high-risk threats.
Prerequisites
- AWS Security Lake or Security Hub enabled in your AWS account
- Trusteed account with IP Enrichment feed
- Trusteed AWS Connector (Lambda function or container)
- IAM role with permissions to write to Security Lake / Security Hub
Setup Steps
1. Deploy the Connector
- Deploy the Trusteed Connector as an AWS Lambda, ECS task, or EC2 service.
- Configure Trusteed API credentials + AWS credentials.
2. Fetch Trusteed Feed
Connector pulls feed:
IP, RiskScore, Category, FirstSeen, LastSeen
192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19
3. Load into Security Lake / Security Hub
- Feed written into S3 bucket managed by Security Lake.
- Data normalized into OCCF (Open Cybersecurity Schema Framework) format.
- Security Hub findings enriched with Trusteed context (risk score, category).
4. Create GuardDuty / Security Hub Rules
- Example rule:
if ip in Trusteed_IP_Enrichment and riskscore > 80
then raise High severity finding
5. Visualize in Athena / OpenSearch
- Enrichment available in Athena queries and OpenSearch dashboards for hunting.
Outcome
- AWS-native SOC tools enriched with Trusteed IP intelligence.
- High-risk IPs surface in Security Hub dashboards.
- Noise is filtered before reaching analysts.
- Faster incident response across cloud workloads.
Next Steps
- Extend to hybrid SOC by forwarding enriched findings into Splunk, QRadar, or Sentinel.
- Automate remediation with AWS Lambda playbooks (block IP in VPC NACL / WAF).