Reduce threats by responding effectively to security vulnerabilities
This Guidance helps you to effectively respond to a security incident based on decisions that are specified in your incident response plan. The response involves characterizing the nature of the incident and making changes, which may involve activities including restoration of operational status, identification and remediation of root cause, and gathering evidence pursuant to civil or criminal prosecution.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Establish an incident response team and incident response plan.
Step 2
Deploy an AWS Config configuration recorder and delivery channel to all operating Regions in all member accounts. Review service control policies (SCPs) for examples of deny list policy strategies. Configure the delivery channel to send to the AWS Config Amazon Simple Storage Service (Amazon S3) bucket in the Log Archive account.
Step 3
Enable AWS Security Hub for your organization using the AWS Security Hub and AWS Organizations user guide to centralize security findings for a single account. Configure cross-Region aggregation to centralize Regional security findings to one Region.
Step 4
Delegate the administration of AWS Security Hub to the Security Tooling Account to allow the security team to manage the Security Hub and any findings outside of the management account.
Step 5
Respond to the incident based on the incident response plan. This can include recovery of systems, remediating findings, or isolating affected systems. The Automated Security Response on AWS solution creates predefined response and remediation actions based on industry compliance standards.
Step 6
Send security event logs to a centralized Amazon S3 bucket in the Log Archive account for retention as required.
Step 1
Establish an incident response team and incident response plan.
Step 2
Deploy an AWS Config configuration recorder and delivery channel to all operating Regions in all member accounts. Review service control policies (SCPs) for examples of deny list policy strategies. Configure the delivery channel to send to the AWS Config Amazon Simple Storage Service (Amazon S3) bucket in the Log Archive account.
Step 3
Enable AWS Security Hub for your organization using the AWS Security Hub and AWS Organizations user guide to centralize security findings for a single account. Configure cross-Region aggregation to centralize Regional security findings to one Region.
Step 4
Delegate the administration of AWS Security Hub to the Security Tooling Account to allow the security team to manage the Security Hub and any findings outside of the management account.
Step 5
Respond to the incident based on the incident response plan. This can include recovery of systems, remediating findings, or isolating affected systems. The Automated Security Response on AWS solution creates predefined response and remediation actions based on industry compliance standards.
Step 6
Send security event logs to a centralized Amazon S3 bucket in the Log Archive account for retention as required.
Additional Considerations
Due to the critical need for data protection, regulatory compliance, and the complex nature of the cloud infrastructure, this Guidance for Security Incident Response on AWS is an essential component in building your cloud foundation.
The cloud's scalability and rapid resource deployment capabilities present both advantages and risks. While businesses benefit from the agility the cloud provides, malicious actors can exploit vulnerabilities. An effective security incident response plan is essential for coordinating efforts and promptly addressing security threats. Additionally, the shared responsibility model in cloud computing necessitates a clear understanding of security responsibilities between the cloud provider and you.
Effectively responding to security incidents includes collecting and preserving evidence for analysis. Which is why this Guidance extends beyond containment and mitigation to post-incident analysis and continuous improvement. The insights gained from post-incident analysis can inform security enhancements, policy updates, and overall improvements to an organization's security posture.
Related Content
- Stakeholders: Security (primary), Central IT, Networking
- Supporting Capabilities: Vulnerability and Threat Management, Identity Management and Access Control, Observability, Resource Inventory Management, Network Security
- For additional information on this capability, read the whitepaper.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.