This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 10: How do you anticipate, respond to, and recover from incidents?

Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.

Resources

Prepare for and respond to security incidents in your AWS environment
Automating Incident Response and Forensics in AWS
DIY guide to runbooks, incident reports, and incident response
CloudEndure Disaster Recovery
AWS Incident Response Guide
Lab: Incident Response Playbook with Jupyter - AWS IAM
Lab: Incident Response with AWS Console and CLI

Best Practices:

Improvement Plan

Identify key personnel and external resources

  • Identify key personnel in your organization: Maintain a contact list of personnel within your organization that you would need to involve to respond to and recover from an incident.
  • Identify external partners: Engage with external partners if necessary that can help you respond to and recover from an incident.
  • Develop incident management plans

  • Review available resources: AWS and industry resources are available for you to use.
    AWS Security Incident Response Guide
    NIST: Computer Security Incident Handling Guide
  • Develop incident response playbooks: Easy to follow playbooks should detail steps that you would take to respond and recover from an incident.
  • Develop escalation and communications plans: Escalation and communications plans should include personnel in your organization, and external parties that you must notify at each stage during an incident.
  • Develop external public relations plan: Develop a plan for public relations to release information about an incident.
  • Prepare forensic capabilities

  • Identify forensic capabilities: Research your organization's forensic investigation capabilities, available tools, and external specialists.
    Automating Incident Response and Forensics
  • Automate containment capability

  • Automate containment capability
  • Pre-provision access

  • Pre-provision access: Ensure that security personnel have the correct access pre-provisioned in AWS so that an appropriate response can be made to an incident.
  • Pre-deploy tools

  • Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed in AWS so that an appropriate response can be made to an incident.
    Lab: Incident response with AWS Management Console and CLI
    Incident Response Playbook with Jupyter - AWS IAM
    AWS Security Automation
  • Implement resource tagging: Tag resources with information, such as a code for the resource under investigation, so that you can identify resources during an incident.
    AWS Tagging Strategies
  • Run game days

  • Run game days: Run simulated incident response events (game days) for different threats that involve key staff and management.
  • Capture lessons learned: Lessons learned from running game days should be part of a feedback look to improve your processes.