AWS for M&E Blog

Collect and respond to security events: Aligning to the MovieLabs Common Security Architecture for Production (CSAP)

In the previous blog in this series, Securing production workflows in AWS: Aligning to the MovieLabs Common Security Architecture for Production (CSAP), we expanded the dailies editing use case to include asset ingest and exchange to vendors for workflows like Visual Effects (VFX), color correction, and final mastering. For these workflows, we discussed security best practices and alignment to the MovieLabs CSAP core and supporting components. In the final blog in the alignment series, we discuss how to monitor production environments for security incidents; respond, and remediate using Amazon Web Services (AWS) security services; and how AWS services map to CSAP supporting components.

Enabling traceability and responding to security events are both design principles of the AWS Well-Architected Security Pillar. These principles focus on ensuring you have the tools and technology in place to accurately monitor, audit, and investigate system or security issues within your environment so you can take action. Likewise, the MovieLabs CSAP contains two supporting security components: “Continuous monitoring and security operations” and “Threat analysis and intelligence” that closely resemble the Well-Architected design principles above.

Continuous monitoring and security operations

The Continuous Monitoring and Security Operations supporting component in the CSAP is responsible for conducting real-time analysis of data sources including network, system, and application logs. This analysis provides situational awareness to other components such as the Threat Analysis and Intelligence supporting component. The data collected is analyzed and can be used to generate alerts and mitigation strategies based on the current state of the system. These alerts are used to inform CSAP core components like the authorization and authentication service to ensure that resources and assets are properly secured. AWS provides a suite of tools and services to help customers monitor their infrastructure, baseline their desired system configuration, and automatically remediate deviations from the baseline or alert the security center of potential threats.

The example architecture demonstrates how you can use AWS security services to continuously monitor production workflows from a network, service, and application perspective to inform core components of the CSAP. We use the digital dailies sample architecture from the second blog in this series and add additional AWS services.

Expanding on the dailies editing use case, we show how you can collect information from your environment using logging services and generate security findings from those logs to auto-remediate potential issues such as OS vulnerabilities.

Figure 1: Detect and remediate security findings in a dailies editing workflow

The key function of this CSAP component is the ability to monitor and collect system, network, user, and asset activity and analyze the data to produce notifications of security events like attempted intrusion, devices falling out of compliance with security requirements, and performance issues. There are a number of AWS services that emit logs, but in the context of these functions, services like AWS CloudTrail and Amazon VPC Flow Logs are important. AWS CloudTrail logs API calls and IAM principal activity in your AWS environment with the option to enable granular logging of data events for other services like Amazon S3. VPC Flow Logs are a feature of Amazon VPC that allow you to capture IP traffic communication between network interfaces in VPCs. These services are used to collect and analyze data that may be used to identify critical security issues such as determining what IAM principal performed an action on a resource within a VPC.

Amazon GuardDuty relies on VPC Flow Logs, AWS CloudTrail logs, Amazon Route53 DNS query logs, and other optional data sources to identify malicious activity within your AWS environment. Amazon GuardDuty prioritizes and provides contextual information about what principal or resources the activity is related to so that you can mitigate the situation or remediate a security issue. AWS Config and Amazon Inspector can be used to detect misconfigurations against your security requirements and identify vulnerabilities in your systems. These services perform checks and produce findings on a continuous basis so you can respond to security events as they arise. AWS Security Hub enables you to collect, normalize, and correlate security findings along with partner security solutions across your AWS accounts to analyze security trends and identify security issues at scale. This allows you to create processes to respond to events from a single place. AWS Security Hub Custom Actions allow you to define workflows to remediate security issues. The custom action sends an event to an Amazon EventBridge bus where it can be consumed by downstream subscribers to remediate the issue. For example, an AWS Lambda function gets triggered when a patching event is received and runs code to patch the Amazon EC2 instance.

Threat analysis and intelligence

The Threat Analysis and Intelligence supporting component in the CSAP provides an overall threat landscape using data from internal security components and external sources. AWS provides services that generate threat intelligence data through correlation of AWS logs and threat intelligence feeds. Additionally, AWS provides services that analyze this data to provide an overall threat analysis of a customer’s AWS environment.

We are leveraging Amazon Security Lake (Preview) to centralize and normalize logs and security findings from AWS and third-party services. The normalized information can be fed into an SIEM solution to gather insights and send notifications downstream to security engineers or analysts for action.

Figure 2: Centralizing logs and security findings using Amazon Security Lake (Preview)

AWS Security Hub relies on internal and external sources to generate security findings (1). For example, Amazon GuardDuty leverages threat intelligence feeds to generate findings that rely on AWS and third-party sources to produce IP and domain lists that are known to be used by attackers. AWS Config relies on compliance standards as part of its conformance packs to identify security misconfigurations in AWS environments. Amazon Inspector uses sources like the National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE), and MITRE for identifying vulnerabilities in your AWS environment. Collectively, these services can be used as signals for downstream systems to make decisions on how to further secure systems that may interact with untrusted infrastructure.

The Threat Analysis and Intelligence component of CSAP relies on common systems like Security Information and Event Management (SIEM) tools to collect security data for analysis, refine security policies, and triggers notifications for security events. In addition to centralizing security findings in AWS Security Hub (2), customers can also use Amazon Security Lake (Preview) to aggregate logs and information across their AWS environment. For example, Amazon Security Lake can aggregate the normalized findings from Security Hub as well as third-party security sources that support the Open Cybersecurity Schema Framework (OCSF) (2, 3). OCSF was co-founded by AWS and a number of key security vendors to enable customers to ingest normalized security logs and data at scale from a variety of solutions so that they can focus on correlating and acting on the data. The data collected by Amazon Security Lake can be ingested into a SIEM solution so that security operations engineers can perform analysis and configure alerts on high priority or risk-based security issues that need to be acted on (3). These alerts can be propagated to CSAP core components and human operators using Amazon Simple Notification Service (SNS) so that necessary action can be taken within other components of the environment (4).


In this blog, we cover common best practices for monitoring production workflows for critical security issues and how you can leverage a variety of AWS services to collect important security findings that can be used to identify offending systems in your environment. We also cover the supporting components of the MovieLabs CSAP that align with these best practices and demonstrate different ways to centralize and act on these findings at scale within AWS. Many of these best practices are recommendations in our Security Reference Architecture along with how to manage, deploy, and operate the services as you adopt them.

Blake Franzen

Blake Franzen

Blake Franzen is a Security Solutions Architect with AWS in Seattle supporting Media & Entertainment companies. His passion is driving customers to a more secure AWS environment while ensuring they can innovate and move fast. Outside of work, he is an avid movie buff and enjoys recreational sports.

Kim Wendt

Kim Wendt

Kim Wendt is a Solutions Architect at Amazon Web Services (AWS), responsible for helping global Media & Entertainment companies on their journey to the cloud. Prior to AWS, she was a Software Developer and uses her development skills to build solutions for customers. She has a passion for continuous learning and holds a Master's degree from Georgia Tech in Computer Science with a Machine Learning specialization. In her free time, she enjoys reading and exploring the PNW with her husband and dog.