This content is outdated. This version of the Well-Architected Framework is now found at: https://docs.aws.amazon.com/en_us/wellarchitected/2022-03-31/framework/security.html

SEC 4: How do you detect and investigate security events?

Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.

Resources

Threat management in the cloud: Amazon GuardDuty and AWS Security Hub
Remediating Amazon GuardDuty and AWS Security Hub Findings
Centrally Monitoring Resource Configuration and Compliance
Setting up Amazon GuardDuty
AWS Security Hub
Amazon CloudWatch
Getting started: Amazon CloudWatch Logs
Amazon EventBridge
AWS Config
AWS Answers: Centralized Logging
Security Partner Solutions: Logging and Monitoring

Best Practices:

Improvement Plan

Configure service and application logging

  • Enable logging of AWS services: Enable the logging of AWS services to meet your requirements. Logging capabilities include the following: VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs.
    AWS Answers: native AWS security-logging capabilities
  • Evaluate and enable logging of operating systems and application-specific: Evaluate and enable logging of operating systems and application-specific logs to detect suspicious behavior.
    Getting started with CloudWatch Logs
    Developer Tools/Log Analysis
  • Apply appropriate controls to the logs: Logs can contain sensitive information and only authorized users should have access. Consider restricting permissions to S3 buckets and CloudWatch Logs log groups.
    Authentication and Access Control for Amazon CloudWatch
    Identity and access management in Amazon S3
  • Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously looks for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts to email using the lab.
    Amazon GuardDuty
    Lab: Automated Deployment of Detective Controls
  • Configure customized trail in CloudTrail: Configuring a trail enables you to store logs for longer than the default period, and analyze them later.
    Creating a trail in CloudTrail
    Lab: Automated Deployment of Detective Controls
  • Enable AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were previously configured so that you can see how the configurations and relationships change over time.
    AWS Config
    Lab: Automated Deployment of Detective Controls
  • Enable AWS Security Hub: AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your compliance with the security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
    AWS Security Hub
  • Analyze logs, findings, and metrics centrally

  • Evaluate log processing capabilities: Evaluate the options that are available for processing logs
    Use Amazon OpenSearch Service to log and monitor (almost) everything
    Find a partner that specializes in logging and monitoring solutions
  • As a start for analyzing CloudTrail logs, test Amazon Athena
    Configuring Athena to analyze CloudTrail logs
  • Implement centralize logging in AWS: AWS example solution to centralize logging from multiple sources.
    Centralize logging solution
  • Implement centralize logging with partner: APN Partners have solutions to help you analyze logs centrally.
    Logging and Monitoring
  • Automate response to events

  • Implement automated alerting with Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts.
    Lab: Automated Deployment of Detective Controls
  • Automate investigation processes: Develop automated processes that investigate an event and report information to an administrator to save time.
    Lab: Amazon GuardDuty hands on
  • Implement actionable security events

  • Discover metrics available for AWS services: Discover the metrics that are available through CloudWatch for the services that you are using.
    AWS service documentation
    Using Amazon CloudWatch Metrics
  • Configure Amazon CloudWatch alarms: .
    Using Amazon CloudWatch Alarms