Detecting Incidents – Determining Security Requirements and Controls – SAP-C02 Study Guide

Detecting Incidents

Even after you have put all the necessary measures in place to protect your infrastructure and your data, you are only halfway through ensuring security. Despite all the protections implemented, some incidents can still occur. It can be any type of incident—a security breach, a data leak, a system misconfiguration, a configuration change, or unexpected behavior. If you don’t do anything to check for such incidents, they will go undetected most of the time, causing potentially acute damage to your business.

The following subsection discusses the various approaches to incident detection.

Picking the Right Tool for the Right Task

First, activate AWS CloudTrail on all your accounts. AWS CloudTrail logs keep a record of all activity (such as who made what request, at what time, and from which IP address) that took place within your account, whether the related actions come from the AWS Management Console, the AWS CLI, or by using AWS SDKs. As we have already discussed in Chapter 3, Designing a Multi-Account AWS Environment for Complex Organizations, it is recommended, especially in complex organizations, to centralize the CloudTrail logs from all your accounts in a specific account for the usage of your security and audit teams.

Second, leverage AWS Config to continuously monitor and record any configuration change in your AWS resources. AWS Config also allows you to review the configuration history of your resources. AWS Config integrates with CloudTrail to correlate configuration changes to events that took place within your account. To monitor and detect configuration changes, you create AWS Config rules that get triggered whenever compliance with the specified rules is breached. AWS Config rules can be deployed standalone or as part of a conformance pack. Multiple conformance packs are available to group-related rules together, whether it is by service affinity (such as Operational Best Practices for Amazon S3) or by compliance affinity (such as Operational Best Practices for HIPAA Security). In a multi-account organization, AWS Config allows you to centralize both the rules management and the collection of findings to provide complete visibility and control of the compliance status against your own rules across your entire organization.

Figure 5.4 shows some examples of incident detection and centralized CloudTrail logs:

Figure 5.4: Incident detection and centralized CloudTrail logs

Third, turn on automatic threat detection with Amazon GuardDuty to identify any malicious activity across your organization. GuardDuty leverages machine learning (ML) techniques to analyze all events coming through your CloudTrail logs, Amazon VPC Flow Logs, and Domain Name System (DNS) logs. It automatically identifies and prioritizes threats based on your account’s behavior—for instance, compromised credentials or unusual data access.

Finally, leverage AWS Security Hub as the central place to aggregate, organize, and prioritize your security alerts or findings. It collects information from multiple sources such as Amazon GuardDuty, Amazon Macie, Amazon Inspector, AWS Firewall Manager, and so on, including third-party solutions. AWS Security Hub can conduct automated security checks to verify compliance with industry standards and best practices, such as the CIS AWS Foundations Benchmark. Its role is to centralize and prioritize security findings from your AWS environment, across all your AWS accounts. It also integrates with third-party solutions, either to ingest findings they may produce or to act based on its own findings, for instance, alerting a specific group of people to act swiftly in presence of a critical risk or feeding your IT service management system with findings to trigger a specific workflow.