[text]
This Guidance helps you identify vulnerabilities that can affect the availability, performance, or security of your cloud environment. Using this capability, you can assess the impact and scope of threats and vulnerabilities and then quickly address or remediate them. By implementing threat and vulnerability management, you can protect your data and fortify your security posture as your cloud environment grows.
Please note: [Disclaimer]
Architecture Diagram
[text]
Step 1
Establish an incident response team and an incident response plan.
Step 2
Enable and delegate the administration of Amazon GuardDuty and AWS Security Hub (using the AWS Organizations integration documentation for GuardDuty and Security Hub) to the Security Tooling account in the security organizational unit (OU). This moves the administration of these tools outside the management account.
Step 3
GuardDuty findings will be sent to Security Hub. Use Security Hub in the aggregation AWS Region of your Security Tooling account for a comprehensive view of the security state in your Organizations and to respond to security incidents.
Step 4
Use AWS Config to deploy a configuration recorder and delivery channel to all operating Regions (that are not prohibited by your service control policies) in all member accounts to identify and track assets.
Deploy an AWS Config aggregator in the Security Tooling account to centrally view or query the resource configuration and compliance of AWS Config resources.
Step 5
Create AWS Config rules using detective controls in AWS Control Tower or using AWS Config managed rules to evaluate your resource configurations and confirm alignment to best practices.
Step 6
Enable Amazon Inspector in your Organizations accounts to identify vulnerabilities in Amazon Elastic Compute Cloud (Amazon EC2), your Amazon Elastic Container Registry (Amazon ECR) container images, and AWS Lambda functions. The findings will be sent to Security Hub and are centralized to Security Hub in the Security Tooling account.
Step 7
Respond to the incident based on your incident response plan. This can include recovering systems, remediating findings, or isolating affected systems. Automated Security Response on AWS creates predefined response and remediation actions based on industry compliance standards.
Additional Considerations
Threat and vulnerability management is a critical function of your foundational cloud environment. With the ever-evolving threat landscape and the shared responsibility model in cloud computing—where customers share security responsibilities with cloud providers—proactive threat and vulnerability management has become fundamental to identifying and addressing emerging risks and maintaining the integrity of cloud-based operations.
To protect sensitive information from unauthorized access and theft, you must be able to detect and resolve threats and vulnerabilities. Compliance requirements—such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA)—necessitate rigorous data protection measures, making threat and vulnerability management crucial for regulatory adherence and avoidance of legal penalties. Additionally, security breaches can incur substantial costs, including fines, legal fees, and damage to your organization’s reputation. By detecting security breaches in a timely manner, you can mitigate these risks and maintain business continuity.
Related Content
- Stakeholders: Central IT (primary), Security, Operations, Finance
- Supporting Capabilities: Identity Management and Access Control, Governance, Workload Isolation, Security Incident Response
- For additional information on this capability, refer to Establishing Your Cloud Foundation on AWS.
Disclaimer
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.