SEC 4: How do you detect and investigate security events?

Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.

Resources

Threat management in the cloud: Amazon GuardDuty and AWS Security Hub
Remediating Amazon GuardDuty and AWS Security Hub Findings
Centrally Monitoring Resource Configuration and Compliance
Setting up Amazon GuardDuty
AWS Security Hub
Amazon CloudWatch
Getting started: Amazon CloudWatch Logs
Amazon EventBridge
AWS Config
AWS Answers: Centralized Logging
Security Partner Solutions: Logging and Monitoring

Best Practices:

• Configure service and application logging: Configure logging throughout the workload, including application logs, resource logs, and AWS service logs. For example, ensure that AWS CloudTrail, Amazon CloudWatch Logs, Amazon GuardDuty and AWS Security Hub are enabled for all accounts within your organization.

• Analyze logs, findings, and metrics centrally: All logs, metrics, and telemetry should be collected centrally, and automatically analyzed to detect anomalies and indicators of unauthorized activity. A dashboard can provide you easy to access insight into real-time health. For example, ensure that Amazon GuardDuty and Security Hub logs are sent to a central location for alerting and analysis.

• Automate response to events: Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. For example, automate responses to Amazon GuardDuty events by automating the first investigation step, then iterate to gradually remove human effort.

• Implement actionable security events: Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For example, ensure that Amazon GuardDuty and AWS Security Hub alerts are sent to the team to action, or sent to response automation tooling with the team remaining informed by messaging from the automation framework.

Improvement Plan

Configure service and application logging

Enable logging of AWS services: Enable the logging of AWS services to meet your requirements. Logging capabilities include the following: VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs.
AWS Answers: native AWS security-logging capabilities

Evaluate and enable logging of operating systems and application-specific: Evaluate and enable logging of operating systems and application-specific logs to detect suspicious behavior.
Getting started with CloudWatch Logs
Developer Tools/Log Analysis

Apply appropriate controls to the logs: Logs can contain sensitive information and only authorized users should have access. Consider restricting permissions to S3 buckets and CloudWatch Logs log groups.
Authentication and Access Control for Amazon CloudWatch
Identity and access management in Amazon S3

Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously looks for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts to email using the lab.
Amazon GuardDuty
Lab: Automated Deployment of Detective Controls

Configure customized trail in CloudTrail: Configuring a trail enables you to store logs for longer than the default period, and analyze them later.
Creating a trail in CloudTrail
Lab: Automated Deployment of Detective Controls

Enable AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were previously configured so that you can see how the configurations and relationships change over time.
AWS Config
Lab: Automated Deployment of Detective Controls

Enable AWS Security Hub: AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your compliance with the security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues.
AWS Security Hub

Analyze logs, findings, and metrics centrally

Evaluate log processing capabilities: Evaluate the options that are available for processing logs
Use Amazon OpenSearch Service to log and monitor (almost) everything
Find a partner that specializes in logging and monitoring solutions

As a start for analyzing CloudTrail logs, test Amazon Athena
Configuring Athena to analyze CloudTrail logs

Implement centralize logging in AWS: AWS example solution to centralize logging from multiple sources.
Centralize logging solution

Implement centralize logging with partner: APN Partners have solutions to help you analyze logs centrally.
Logging and Monitoring

Automate response to events

Implement automated alerting with Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts.
Lab: Automated Deployment of Detective Controls

Automate investigation processes: Develop automated processes that investigate an event and report information to an administrator to save time.
Lab: Amazon GuardDuty hands on

Implement actionable security events

Discover metrics available for AWS services: Discover the metrics that are available through CloudWatch for the services that you are using.
AWS service documentation
Using Amazon CloudWatch Metrics

Configure Amazon CloudWatch alarms: .
Using Amazon CloudWatch Alarms