Introduction to AWS Security Services – Microsoft AWS

Integrated incident response management

An incident response plan outlines the processes to follow when a security incident occurs. AWS security services can be integrated into your existing or new incident response plan in the following ways:

• Initial detection: Use GuardDuty or Security Hub for the initial detection of the incident
• Investigation: Use Detective to correlate logs and findings for a more in-depth investigation of the incident
• Containment: Lambda functions can be triggered to contain affected resources automatically
• Recovery: Use Config to audit changes and ensure that all resources are rolled back to a known good state
• Lessons learned: Post-incident, use Security Hub to aggregate findings for reviews

Automated remediation

Automation is key to managing the scale and complexity of modern cloud environments. AWS offers several tools for automating the remediation of security incidents. They are as follows:

• Config: Set up remediation actions in Config to automatically fix non-compliant resources. For example, if an S3 bucket is found to be public, a Config rule can automatically make it private using pre-built remediation actions.
• Lambda: Use custom Lambda functions to perform specific remediation tasks. For example, if GuardDuty detects a compromised EC2 instance, a Lambda function could automatically isolate the instance in a separate security group. Network security capabilities such as AWS WAF and VPC’s NACLs can also be used to immediately block malicious IP addresses.
• Step Functions: For complex remediation workflows involving multiple steps and services, use Step Functions to orchestrate Lambda functions and other AWS services. This can be particularly useful for automated incident response scenarios that require multiple steps and options.
• SSM: Use SSM Automation documents to execute common security remediation and operational tasks such as patch management.

By effectively utilizing AWSw monitoring, alerting, and remediation tools, you can significantly enhance your organization’s ability to quickly detect and respond to security incidents.