← Back to integrations
SIEM

AWS Security Lake

Trusteed enriches AWS Security Lake & Security Hub with IP risk scores and categories, filtering noise and surfacing high-risk threats.

Prerequisites

  • AWS Security Lake or Security Hub enabled in your AWS account
  • Trusteed account with IP Enrichment feed
  • Trusteed AWS Connector (Lambda function or container)
  • IAM role with permissions to write to Security Lake / Security Hub

Setup Steps

1. Deploy the Connector

  • Deploy the Trusteed Connector as an AWS Lambda, ECS task, or EC2 service.
  • Configure Trusteed API credentials + AWS credentials.

2. Fetch Trusteed Feed

Connector pulls feed:

IP, RiskScore, Category, FirstSeen, LastSeen
192.168.38.187,95,Botnet,2025-09-01,2025-09-20
192.168.38.186,70,Scanner,2025-09-05,2025-09-19

3. Load into Security Lake / Security Hub

  • Feed written into S3 bucket managed by Security Lake.
  • Data normalized into OCCF (Open Cybersecurity Schema Framework) format.
  • Security Hub findings enriched with Trusteed context (risk score, category).

4. Create GuardDuty / Security Hub Rules

  • Example rule:

if ip in Trusteed_IP_Enrichment and riskscore > 80
then raise High severity finding

5. Visualize in Athena / OpenSearch

  • Enrichment available in Athena queries and OpenSearch dashboards for hunting.

Outcome

  • AWS-native SOC tools enriched with Trusteed IP intelligence.
  • High-risk IPs surface in Security Hub dashboards.
  • Noise is filtered before reaching analysts.
  • Faster incident response across cloud workloads.

Next Steps

  • Extend to hybrid SOC by forwarding enriched findings into Splunk, QRadar, or Sentinel.
  • Automate remediation with AWS Lambda playbooks (block IP in VPC NACL / WAF).