Prioritizing Control Implementations - Classic Intrusion Analysis Frameworks for AWS Environments: Application and Enhancement

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Prioritizing Control Implementations

Organizations often want to know where to start if they want to implement a classic intrusion analysis framework. This section describes two ways that you can use the control number associated with each control listed in the Appendix: Reference Material section to prioritize control implementations. Control numbers can be aligned with the AWS Cloud Adoption Framework (AWS CAF) or can be used to prioritize implementations based on control coverage. Each of these approaches are discussed.

Each unique control included in the Appendix: Reference Material section has a unique control number assigned to it. For example, the following example table, the control number is Sec.IAM.2.

Control number example

Control Names Descriptions

AWS Identity and Access Management (IAM) + IAM Policies and Policies Boundaries

(ID: Sec.IAM.2)

These controls provide strong, least-privilege and need-to-know security principles for both the users and services that can access your resources.

The same control number appears in each place in the intrusion method analysis framework that the associated control is used. For example, each appearance of the Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies control in the method analysis framework includes the Sec.DP.6 control number. The control numbers are based on the AWS CAF. The guidance and current recommendations provided by the AWS CAF help you build a comprehensive approach to cloud computing across your organization, and throughout your IT lifecycle. Using the AWS CAF helps you realize measurable business benefits from cloud adoption faster and with less risk.

The AWS CAF organizes guidance into six areas of focus, known as perspectives. Each perspective covers distinct responsibilities owned or managed by functionally related stakeholders. In general, the Business, People, and Governance Perspectives focus on business capabilities, while the Platform, Security, and Operations Perspectives focus on technical capabilities.

This image shows the AWS CAF perspectives

AWS CAF perspectives

For a full explanation of the AWS CAF, see AWS Cloud Adoption Framework.

Numerous controls listed in this paper are from the AWS CAF Security perspective. To help you with your implementation, you can use the AWS CAF Security Epics. The Security Epics consist of groups of user stories (use cases and abuse cases) that you can work on during sprints. Each of these epics has multiple iterations that address increasingly complex requirements and layering in robustness. Although we advise the use of Agile methodologies, the epics can also be treated as general work streams or topics that help in prioritizing and structuring delivery using any other framework. Some CAF perspectives, such as the Operations and Platform perspectives, do not have epics.

This image shows the AWS CAF security epics.

AWS CAF Security Epics

Control Number Format

The format of the control numbers is:

<CAF perspective>.<CAF perspective epic>.<sequential_number>

The CAF perspective epic only applies to AWS CAF perspectives that have epics, such as the Security perspective.

Some examples of control numbers:

  • Sec.IAM.1 – CAF Security Perspective, Identity & Access Management Epic, control 1

  • Sec.Det.1 – CAF Security Perspective, Detective Security Epic, control 1

  • Sec.DP.3 – CAF Security Perspective, Data Protection Epic, control 3

  • Sec.Inf.11 – CAF Security Perspective, Infrastructure Security Epic, control 11

  • Sec.IR.5 – CAF Security Perspective, Incident Response Epic, control 5

  • Platform.1 – CAF Platform Perspective, control 1

  • Ops.2 – CAF Operations Perspective, control 2

Prioritize Controls with the Control Number and AWS CAF

Organizations that use AWS CAF to build a comprehensive approach to cloud computing across their organization and have also decided to implement some or all of the controls described in this paper, can use the tables in this section to cross-reference their efforts. This table makes it easy to identify which intrusion method controls can be implemented as organizations perform sprints associated with AWS CAF perspectives and epics.

For example, when an organization plans to work on the Detective Controls Epic, the table shows them that when they implement the controls listed under that epic, they will also be enabling other capabilities as part of their intrusion analysis strategy.

This approach can help organizations prioritize which intrusion method controls to implement as part of a broader AWS CAF strategy.

Table 12 – Controls Mapped to AWS Cloud Adoption Framework (AWS CAF)

Control ID Control Name
Security Perspective – Identity and Access Management (IAM) Epic
Sec.IAM.1 AWS Identity and Access Management (IAM) Roles 
Sec.IAM.2 AWS Identity and Access Management (IAM) + IAM Policies and Policy Boundaries
Sec.IAM.3 AWS Identity and Access Management (IAM) + AWS Organizations
Sec.IAM.4 AWS Organizations + Service Control Policies (SCPs) + AWS Accounts
Sec.IAM.5 Amazon Cognito
Security Perspective – Detective Controls Epic
Sec.Det.1 Amazon GuardDuty
Sec.Det.2 Amazon GuardDuty Partners
Sec.Det.3 AWS Security Hub
Sec.Det.4 AWS Security Hub Partners
Sec.Det.5 AWS Config
Sec.Det.6 Amazon CloudWatch, CloudWatch Logs, CloudTrail + Insights, Reporting & Third Parties
Sec.Det.7 Amazon CloudWatch Events & Alarms + Amazon SNS + SIEM Solutions
Sec.Det.8 Amazon VPC Flow Logs + CloudWatch Alarms or other analytics tools 
Sec.Det.9 AWS IoT Device Defender + AWS IoT SiteWise
Sec.Det.10 Amazon CloudWatch Logs + Amazon Lookout for Metrics
Sec.Det.11 Amazon Detective
Security Perspective – Infrastructure Security Epic
Sec.Inf.1 AWS WAF
Sec.Inf.2 AWS WAF, WAF Managed Rules + Automation
Sec.Inf.3 Amazon Virtual Private Cloud (Amazon VPC)
Sec.Inf.4 AWS Direct Connect
Sec.Inf.5 Amazon EC2 Security Groups
Sec.Inf.6 Network Access Control Lists (NACLs)
Sec.Inf.7 Outbound Proxy Partners
Sec.Inf.8 Load Balancing
Sec.Inf.9 AWS Auto Scaling
Sec.Inf.10 Network infrastructure solutions in the AWS Marketplace
Sec.Inf.11 Reverse Proxy architecture
Sec.Inf.12 Amazon EC2 Forward Proxy Servers
Sec.Inf.13 AWS Shield
Sec.Inf.14 AWS Systems Manager State Manager 
Sec.Inf.15 AWS Systems Manager State Manager, or Third-Party or OSS File Integrity Monitoring Solutions on Amazon EC2
Sec.Inf.16 AWS Systems Manager State Manager, AWS Systems Manager Inventory, AWS Config
Sec.Inf.17 Amazon EC2 – Linux, SELinux – Mandatory Access Control
Sec.Inf.18 Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control
Sec.Inf.19 Amazon EC2 – Linux, FreeBSD – Hardening and Minimization
Sec.Inf.20 Amazon EC2 – Linux, Windows, FreeBSD – Address Space Layout Randomization (ASLR)
Sec.Inf.21 Amazon EC2 – Linux, Windows, FreeBSD – Data Execution Prevention (DEP)
Sec.Inf.22 Amazon EC2 – Windows – User Account Control (UAC)
Sec.Inf.23 Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC)
Sec.Inf.24 Microsoft Windows Security Baselines
Sec.Inf.25 Linux cgroups, namespaces, SELinux 
Sec.Inf.26 Amazon EC2 – Windows – Device Guard
Sec.Inf.27 AWS Lambda Partners
Sec.Inf.28 Container Partners – Security
Sec.Inf.29 AWS Partner Offerings – Behavioral Monitoring, Response Tools and Services 
Sec.Inf.30 AWS Network Firewall
Sec.Inf.31 Amazon Simple Email Service (Amazon SES)
Sec.Inf.32 Bottlerocket
Security Perspective - Data Protection Epic
Sec.DP.1 AWS Key Management Service (KMS) + AWS CloudHSM
Sec.DP.2 AWS KMS Key Policies
Sec.DP.3 AWS Certificate Manager + Transport Layer Security (TLS)
Sec.DP.4 AWS Partner Offerings – SQL Behavioral Analytics Proxies
Sec.DP.5 AWS Nitro Enclaves
Sec.DP.6 Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies
Sec.DP.7 AWS Secrets Manager
Security Perspective - Incident Response Epic
Sec.IR.1 Amazon GuardDuty + AWS Lambda
Sec.IR.2 AWS WAF + AWS Lambda
Sec.IR.3 Third-Party WAF Integrations 
Sec.IR.4 Amazon GuardDuty + AWS Lambda + AWS WAF, Security Groups, NACLs
Sec.IR.5 AWS Config Rules 
Sec.IR.6 Amazon CloudWatch Events + Lambda 
Sec.IR.7 AWS Security Hub Automated Response and Remediation
Sec.IR.8 Amazon CloudWatch Logs + Amazon Lookout for Metrics + Lambda
Sec.IR.9 Amazon Virtual Private Cloud (Amazon VPC) + automation
Sec.IR.10 Honeypot and Honeynet Environments
Sec.IR.11 Honeywords and Honeykeys
Sec.IR.12 AWS Partner Offerings – Anti-Malware Protection
Sec.IR.13 AWS Partner Offerings – File Integrity Monitoring 
Sec.IR.14 Third-Party Security Tools for Containers
Sec.IR.15 Third-Party Security Tools for AWS Lambda Functions
Platform Perspective
Platform.1 AWS Container and Abstract Services 
Platform.2 AWS Lambda, Amazon Simple Queue Service (Amazon SQS), AWS Step Functions 
Platform.3 Amazon Simple Email Service
Platform.4 Hypervisor-Level Guest-to-Guest and Guest-to-Host Separation 
Platform.5 AWS physical and operational security policies and processes
Operations Perspective
Ops.1 CloudFormation + Service Catalog
Ops.2 Immutable Infrastructure – Short-Lived Environments
Ops.3 AWS Managed Services 
Ops.4 AWS DR Solutions

Prioritize Controls Based on Control Coverage

Another way to leverage the unique control numbers, is to identify which controls provide the greatest level of coverage, and potentially provided the biggest ROI.

For example, the following table shows that by implementing control Sec.IR.15, (Third-Party Security Tools for AWS Lambda Functions), it can potentially help detect, deny, disrupt, contain, and respond in the Exploitation phase of an attack. This mapping helps identify the benefits of enabling that one control, which provides significant Infrastructure Security capability coverage in multiple places in the intrusion method analysis framework.

Table 13 – Example of an AWS Cloud Adoption Framework (AWS CAF) security control appearing multiple times in a Courses of Action Matrix

This image shows an example of AWS CAF appearing multiple times in a courses of action matrix.

The following table shows each place in the courses of action matrix that each control number appears. You can use the control number for each control to help you prioritize your control implementations. For example, notice that control Sec.Det.1 (Amazon GuardDuty) can provide Detection capabilities in all phases of the intrusion method analysis framework (except Exploit Development).

Table 14 – Controls Mapped to the Intrusion Method

Detect Deny Disrupt Degrade Deceive Contain Respond Restore
Recon – Pre-Intrusion

Sec.Det.1

Sec.Det.2

Sec.Inf.2

Sec.Det.6

Sec.Det.3

Sec.Det.4

Sec.Inf.30

Sec.Det.11

Sec.IR.10

Sec.Inf.3

Sec.IAM.3

Sec.DP.3

Sec.Inf.10

Sec.Inf.2

Sec.Inf.4

Sec.Inf.30

Sec.IR.1

Sec.Inf.30

Sec.IR.10

Sec.IR.11

Sec.IR.10

Sec.IR.11

Sec.IR.2

Sec.IR.10

Sec.IR.11

Sec.Inf.2

Sec.IR.1

Sec.Det.2

Sec.Det.4

Sec.Det.7

Recon – Post-Intrusion

Sec.Det.1

Sec.Det.2

Sec.Det.6

Sec.Det.3

Sec.Det.4

Sec.Inf.30

Sec.Det.11

Sec.IR.10

Sec.IR.11

Sec.Inf.3

Sec.IAM.3

Sec.DP.3

Sec.Inf.11

Sec.Inf.11

Sec.IAM.5

Sec.Inf.30

Sec.Inf.32

Sec.IR.1

Sec.Inf.30

Sec.IR.10

Sec.IR.11

Sec.IR.10

Sec.IR.11

Sec.IR.9

Sec.IR.10

Sec.IR.11

Sec.IR.9

Sec.Inf.2

Sec.IR.1

Sec.Det.2

Sec.Det.4

Sec.Det.7

Exploit Development
Delivery

Sec.Det.1

Sec.Inf.2

Sec.Inf.13

Sec.Det.8

Sec.Det.9

Sec.Det.10

Sec.Det.11

Sec.Inf.3

Sec.Inf.4

Sec.Inf.5

Sec.Inf.6

Sec.Inf.13

Sec.IAM.2

Sec.IAM.4

Sec.IAM.5

Sec.Inf.17

Sec.Inf.18

Sec.Inf.19

Sec.Inf.23

Sec.Inf.24

Platform.5

Sec.Inf.30

Sec.Inf.31

Sec.Inf.32

Sec.DP.5

Sec.DP.6

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.Inf.13

Ops.2

Sec.Inf.30

Sec.Det.9

Sec.Det.10

Sec.IR.1

Sec.Inf.13

Sec.Inf.8

Ops.2

Sec.IR.10

Sec.IR.11

Sec.IR.2

Sec.Inf.1

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.IAM.4

Sec.Inf.25

Platform.1

Platform.2

Platform.4

Sec.DP.5

Sec.Inf.14

Sec.IR.13

Sec.IR.2

Sec.IR.3

Sec.IR.5

Sec.IR.6

Sec.IR.7

Ops.3

Sec.Det.9

Sec.Det.10

Sec.Inf.14

Ops.1

Ops.2

Exploitation

Sec.Det.1

Sec.Det.9

Sec.Det.10

Sec.Det.11

Sec.Inf.2

Sec.Inf.3

Sec.Det.5

Sec.IR.14

Sec.IR.15

Sec.IR.12

Sec.Inf.27

Sec.Inf.28

Sec.IAM.1

Sec.DP.7

Sec.Inf.17

Sec.Inf.18

Sec.Inf.19

Sec.Inf.20

Sec.Inf.21

Sec.Inf.22

Sec.Inf.23

Sec.Inf.24

Sec.IR.14

Sec.IR.15

Sec.IR.12

Sec.Inf.27

Sec.Inf.28

Sec.Inf.32

Platform.3

Sec.DP.1

Sec.DP.5

Sec.DP.6

Sec.Inf.2

Sec.DP.7

Sec.Inf.17

Sec.Inf.18

Sec.Inf.20

Sec.Inf.21

Sec.Inf.22

Sec.Inf.23

Sec.IR.14

Sec.IR.15

Sec.IR.12

Sec.Inf.30

Ops.2

Sec.DP.5

Sec.DP.6

Sec.IR.1

Sec.Inf.1

Sec.Inf.9

Sec.Inf.30

Ops.2

Sec.IR.10

Sec.IR.11

Sec.IR.2

Sec.IAM.1

Sec.IAM.4

Sec.Inf.17

Sec.Inf.18

Sec.Inf.19

Sec.Inf.23

Sec.Inf.25

Sec.IR.14

Sec.IR.15

Platform.1

Platform.4

Sec.DP.5

Sec.Det.2

Sec.Det.11

Sec.IR.14

Sec.IR.15

Sec.Inf.29

Ops.3

Sec.IR.7

Sec.Inf.9

Sec.Inf.14

Sec.IR.13

Ops.1

Ops.2

Installation

Sec.Det.1

Sec.Det.6

Sec.Det.3

Sec.Det.4

Sec.Det.9

Sec.Det.10

Sec.Det.11

Sec.Inf.16

Sec.IR.14

Sec.IR.15

Sec.IR.12

Sec.IAM.2

Sec.IAM.4

Sec.IAM.5

Sec.Inf.17

Sec.Inf.18

Sec.Inf.22

Sec.Inf.23

Sec.Inf.26

Sec.Inf.32

Sec.IR.12

Sec.DP.5

Sec.DP.6

Sec.Inf.14

Sec.Inf.17

Sec.Inf.18

Sec.Inf.22

Sec.Inf.23

Sec.Inf.26

Sec.IR.13

Sec.IR.12

Sec.DP.6

Sec.Inf.8

Sec.Inf.14

Sec.Inf.19

Sec.Inf.26

Sec.IR.13

Ops.2

Sec.IR.10

Sec.IR.11

Sec.IAM.4

Sec.Inf.17

Sec.Inf.18

Sec.Inf.23

Sec.Inf.25

Sec.IR.14

Sec.IR.15

Platform.1

Platform.4

Sec.DP.5

Sec.Inf.14

Sec.Inf.15

Sec.Inf.16

Sec.IR.13

Sec IR.7

Sec.Inf.10

Sec.Inf.14

Sec.IR.13

Ops.1

Ops.2

Command and Control

Sec.Det.1

Sec.Det.6

Sec.Det.3

Sec.Det.4

Sec.Det.11

Sec.Inf.8

Sec.Inf.12

Sec.IR.14

Sec.IR.15

Sec.IAM.2

Sec.IAM.4

Sec.IAM.5

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.IR.14

Sec.IR.15

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.IR.14

Sec.IR.15

Sec.IR.1

Sec.IR.4

Ops.2

Sec.IR.1

Sec.IR.4

Ops.2

Sec.IR.10

Sec.IAM.2

Sec.IAM.4

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.Inf.25

Sec.Inf.30

Platform.1

Platform.2

Platform.4

Sec.IR.14

Sec.IR.15

Sec.Inf.29

Sec.IR.1

Ops.3

Sec.Inf.9

Sec.Inf.14

Sec.IR.13

Ops.1

Ops.2

Ops.4

Actions on Objectives

Sec.Det.1

Sec.Det.6

Sec.Det.3

Sec.Det.4

Sec.Det.11

Sec.Inf.8

Sec.Inf.13

Sec.IR.14

Sec.IR.15

Sec.DP.4

Sec.IAM.2

Sec.IAM.4

Sec.IAM.5

Sec.Inf.17

Sec.Inf.18

Sec.Inf.23

Sec.IR.14

Sec.IR.15

Sec.DP.1

Sec.DP.2

Sec.IAM.2

Sec.Inf.17

Sec.Inf.18

Sec.Inf.23

Sec.IR.14

Sec.IR.15

Sec.IR.5

Ops.2

Sec.IAM.2

Sec.Inf.9

Sec.Inf.17

Sec.Inf.18

Sec.Inf.23

Sec.DP.4

Sec.IR.10

Sec.IAM.2

Sec.IAM.4

Sec.Inf.3

Sec.Inf.5

Sec.Inf.6

Sec.Inf.25

Platform.1

Platform.4

Sec.IR.14

Sec.IR.15

Sec.Inf.29

Sec.IR.1

Ops.3

Sec IR.7

Sec.Inf.9

Sec.IR.13

Ops.1

Ops.4

Note

**Defined in the 2006 version of JP 3-13, as documented in Mitre, "Characterizing Effects on the Cyber Adversary, A Vocabulary for Analysis and Assessment", https://www.mitre.org/sites/default/files/publications/characterizing-effects-cyber-adversary-13-4173.pdf