SEC 4: How do you detect and investigate security events?
Define requirements for logs: Define requirements for retention and access control for logs to meet your organizational, legal, and compliance requirements.
Define requirements for metrics: Collecting metrics and defining baselines allows you to gain insights to potential security threats.
Define requirements for alerts: Define who should receive alerts and what they should do with the alerts they receive.
Configure service and application logging: Configure logging throughout the workload, including application logs, AWS services logs, and resource logs.
Analyze logs centrally: All logs should be collected centrally and automatically analyzed to detect anomalies and indicators of malicious activity or compromise.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
- Identify AWS compliance resources: Identify resources that AWS has available to assist.
AWS cloud compliance
- Evaluate log processing capabilities: Evaluate the options that are available for processing logs
Use Amazon Elasticsearch Service to log and monitor (almost) everything
Find a partner that specializes in logging and monitoring solutions
Find a logging and analytics solution on AWS Marketplace
Implement detective controls
- Configure Amazon GuardDuty: Amazon GuardDuty is a continuous security monitoring service that analyzes and processes logs from different AWS services.
- Configure a trail in CloudTrail: Configuring a trail enables you to store logs for longer than the default period,
and analyze them.
Creating a trail in CloudTrail
- Enable AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account.
This includes how the resources are related to one another and how they were configured
in the past so that you can see how the configurations and relationships change over
- Enable AWS Config rules: Use AWS Config to evaluate the configuration settings of your AWS resources. Create customer rules
and configure managed rules that represent your ideal configuration state.
Evaluating resources with Rules
- Evaluate and enable the logging capabilities of the services you are using: Logging capabilities such as the following are available: VPC flow logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs.
AWS Answers: native AWS security-logging capabilities
- Evaluate and enable logging of operating systems and application-specific logs to
detect suspicious behavior.
Getting started with CloudWatch Logs
- Apply appropriate controls to the logs: Logs can contain sensitive information and only authorized users should have access. Consider restricting permissions to S3 buckets and CloudWatch Logs log groups.
Implement investigation techniques
- Develop investigation processes: Develop processes to investigate different types of events, including escalation paths for incident response processes.
- Automate investigation processes: Develop automated processes that investigate an event and report information to an administrator to save time.