This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Prioritizing Control Implementations
Organizations often want to know where to start if they want to implement a classic
intrusion analysis framework. This section describes two ways that you can use the control
number associated with each control listed in the Appendix: Reference Material section to prioritize control implementations. Control
numbers can be aligned with the AWS
Cloud Adoption Framework
Each unique control included in the Appendix: Reference Material section has a unique control number assigned to it. For example, the following example table, the control number is Sec.IAM.2.
Control number example
| Control Names | Descriptions |
|---|---|
|
AWS Identity and Access Management (IAM) + IAM Policies and Policies Boundaries (ID: Sec.IAM.2) |
These controls provide strong, least-privilege and need-to-know security principles for both the users and services that can access your resources. |
The same control number appears in each place in the intrusion method analysis framework that the associated control is used. For example, each appearance of the Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies control in the method analysis framework includes the Sec.DP.6 control number. The control numbers are based on the AWS CAF. The guidance and current recommendations provided by the AWS CAF help you build a comprehensive approach to cloud computing across your organization, and throughout your IT lifecycle. Using the AWS CAF helps you realize measurable business benefits from cloud adoption faster and with less risk.
The AWS CAF organizes guidance into six areas of focus, known as perspectives. Each perspective covers distinct responsibilities owned or managed by functionally related stakeholders. In general, the Business, People, and Governance Perspectives focus on business capabilities, while the Platform, Security, and Operations Perspectives focus on technical capabilities.
AWS CAF perspectives
For a full explanation of the AWS CAF, see AWS Cloud Adoption Framework
Numerous controls listed in this paper are from the AWS CAF Security perspective. To help you with your implementation, you can use the AWS CAF Security Epics. The Security Epics consist of groups of user stories (use cases and abuse cases) that you can work on during sprints. Each of these epics has multiple iterations that address increasingly complex requirements and layering in robustness. Although we advise the use of Agile methodologies, the epics can also be treated as general work streams or topics that help in prioritizing and structuring delivery using any other framework. Some CAF perspectives, such as the Operations and Platform perspectives, do not have epics.
AWS CAF Security Epics
Control Number Format
The format of the control numbers is:
<CAF perspective>.<CAF perspective epic>.<sequential_number>
The CAF perspective epic only applies to AWS CAF perspectives that have epics, such as the Security perspective.
Some examples of control numbers:
-
Sec.IAM.1 – CAF Security Perspective, Identity & Access Management Epic, control 1
-
Sec.Det.1 – CAF Security Perspective, Detective Security Epic, control 1
-
Sec.DP.3 – CAF Security Perspective, Data Protection Epic, control 3
-
Sec.Inf.11 – CAF Security Perspective, Infrastructure Security Epic, control 11
-
Sec.IR.5 – CAF Security Perspective, Incident Response Epic, control 5
-
Platform.1 – CAF Platform Perspective, control 1
-
Ops.2 – CAF Operations Perspective, control 2
Prioritize Controls with the Control Number and AWS CAF
Organizations that use AWS CAF to build a comprehensive approach to cloud computing across their organization and have also decided to implement some or all of the controls described in this paper, can use the tables in this section to cross-reference their efforts. This table makes it easy to identify which intrusion method controls can be implemented as organizations perform sprints associated with AWS CAF perspectives and epics.
For example, when an organization plans to work on the Detective Controls Epic, the table shows them that when they implement the controls listed under that epic, they will also be enabling other capabilities as part of their intrusion analysis strategy.
This approach can help organizations prioritize which intrusion method controls to implement as part of a broader AWS CAF strategy.
Table 12 – Controls Mapped to AWS Cloud Adoption Framework (AWS CAF)
| Control ID | Control Name |
|---|---|
| Security Perspective – Identity and Access Management (IAM) Epic | |
| Sec.IAM.1 | AWS Identity and Access Management (IAM) Roles |
| Sec.IAM.2 | AWS Identity and Access Management (IAM) + IAM Policies and Policy Boundaries |
| Sec.IAM.3 | AWS Identity and Access Management (IAM) + AWS Organizations |
| Sec.IAM.4 | AWS Organizations + Service Control Policies (SCPs) + AWS Accounts |
| Sec.IAM.5 | Amazon Cognito |
| Security Perspective – Detective Controls Epic | |
| Sec.Det.1 | Amazon GuardDuty |
| Sec.Det.2 | Amazon GuardDuty Partners |
| Sec.Det.3 | AWS Security Hub |
| Sec.Det.4 | AWS Security Hub Partners |
| Sec.Det.5 | AWS Config |
| Sec.Det.6 | Amazon CloudWatch, CloudWatch Logs, CloudTrail + Insights, Reporting & Third Parties |
| Sec.Det.7 | Amazon CloudWatch Events & Alarms + Amazon SNS + SIEM Solutions |
| Sec.Det.8 | Amazon VPC Flow Logs + CloudWatch Alarms or other analytics tools |
| Sec.Det.9 | AWS IoT Device Defender + AWS IoT SiteWise |
| Sec.Det.10 | Amazon CloudWatch Logs + Amazon Lookout for Metrics |
| Sec.Det.11 | Amazon Detective |
| Security Perspective – Infrastructure Security Epic | |
| Sec.Inf.1 | AWS WAF |
| Sec.Inf.2 | AWS WAF, WAF Managed Rules + Automation |
| Sec.Inf.3 | Amazon Virtual Private Cloud (Amazon VPC) |
| Sec.Inf.4 | AWS Direct Connect |
| Sec.Inf.5 | Amazon EC2 Security Groups |
| Sec.Inf.6 | Network Access Control Lists (NACLs) |
| Sec.Inf.7 | Outbound Proxy Partners |
| Sec.Inf.8 | Load Balancing |
| Sec.Inf.9 | AWS Auto Scaling |
| Sec.Inf.10 | Network infrastructure solutions in the AWS Marketplace |
| Sec.Inf.11 | Reverse Proxy architecture |
| Sec.Inf.12 | Amazon EC2 Forward Proxy Servers |
| Sec.Inf.13 | AWS Shield |
| Sec.Inf.14 | AWS Systems Manager State Manager |
| Sec.Inf.15 | AWS Systems Manager State Manager, or Third-Party or OSS File Integrity Monitoring Solutions on Amazon EC2 |
| Sec.Inf.16 | AWS Systems Manager State Manager, AWS Systems Manager Inventory, AWS Config |
| Sec.Inf.17 | Amazon EC2 – Linux, SELinux – Mandatory Access Control |
| Sec.Inf.18 | Amazon EC2 – FreeBSD Trusted BSD – Mandatory Access Control |
| Sec.Inf.19 | Amazon EC2 – Linux, FreeBSD – Hardening and Minimization |
| Sec.Inf.20 | Amazon EC2 – Linux, Windows, FreeBSD – Address Space Layout Randomization (ASLR) |
| Sec.Inf.21 | Amazon EC2 – Linux, Windows, FreeBSD – Data Execution Prevention (DEP) |
| Sec.Inf.22 | Amazon EC2 – Windows – User Account Control (UAC) |
| Sec.Inf.23 | Amazon EC2 – Linux – Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) |
| Sec.Inf.24 | Microsoft Windows Security Baselines |
| Sec.Inf.25 | Linux cgroups, namespaces, SELinux |
| Sec.Inf.26 | Amazon EC2 – Windows – Device Guard |
| Sec.Inf.27 | AWS Lambda Partners |
| Sec.Inf.28 | Container Partners – Security |
| Sec.Inf.29 | AWS Partner Offerings – Behavioral Monitoring, Response Tools and Services |
| Sec.Inf.30 | AWS Network Firewall |
| Sec.Inf.31 | Amazon Simple Email Service (Amazon SES) |
| Sec.Inf.32 | Bottlerocket |
| Security Perspective - Data Protection Epic | |
| Sec.DP.1 | AWS Key Management Service (KMS) + AWS CloudHSM |
| Sec.DP.2 | AWS KMS Key Policies |
| Sec.DP.3 | AWS Certificate Manager + Transport Layer Security (TLS) |
| Sec.DP.4 | AWS Partner Offerings – SQL Behavioral Analytics Proxies |
| Sec.DP.5 | AWS Nitro Enclaves |
| Sec.DP.6 | Amazon Simple Storage Service (Amazon S3) Bucket Policies, Object Policies |
| Sec.DP.7 | AWS Secrets Manager |
| Security Perspective - Incident Response Epic | |
| Sec.IR.1 | Amazon GuardDuty + AWS Lambda |
| Sec.IR.2 | AWS WAF + AWS Lambda |
| Sec.IR.3 | Third-Party WAF Integrations |
| Sec.IR.4 | Amazon GuardDuty + AWS Lambda + AWS WAF, Security Groups, NACLs |
| Sec.IR.5 | AWS Config Rules |
| Sec.IR.6 | Amazon CloudWatch Events + Lambda |
| Sec.IR.7 | AWS Security Hub Automated Response and Remediation |
| Sec.IR.8 | Amazon CloudWatch Logs + Amazon Lookout for Metrics + Lambda |
| Sec.IR.9 | Amazon Virtual Private Cloud (Amazon VPC) + automation |
| Sec.IR.10 | Honeypot and Honeynet Environments |
| Sec.IR.11 | Honeywords and Honeykeys |
| Sec.IR.12 | AWS Partner Offerings – Anti-Malware Protection |
| Sec.IR.13 | AWS Partner Offerings – File Integrity Monitoring |
| Sec.IR.14 | Third-Party Security Tools for Containers |
| Sec.IR.15 | Third-Party Security Tools for AWS Lambda Functions |
| Platform Perspective | |
| Platform.1 | AWS Container and Abstract Services |
| Platform.2 | AWS Lambda, Amazon Simple Queue Service (Amazon SQS), AWS Step Functions |
| Platform.3 | Amazon Simple Email Service |
| Platform.4 | Hypervisor-Level Guest-to-Guest and Guest-to-Host Separation |
| Platform.5 | AWS physical and operational security policies and processes |
| Operations Perspective | |
| Ops.1 | CloudFormation + Service Catalog |
| Ops.2 | Immutable Infrastructure – Short-Lived Environments |
| Ops.3 | AWS Managed Services |
| Ops.4 | AWS DR Solutions |
Prioritize Controls Based on Control Coverage
Another way to leverage the unique control numbers, is to identify which controls provide the greatest level of coverage, and potentially provided the biggest ROI.
For example, the following table shows that by implementing control Sec.IR.15, (Third-Party Security Tools for AWS Lambda Functions), it can potentially help detect, deny, disrupt, contain, and respond in the Exploitation phase of an attack. This mapping helps identify the benefits of enabling that one control, which provides significant Infrastructure Security capability coverage in multiple places in the intrusion method analysis framework.
Table 13 – Example of an AWS Cloud Adoption Framework (AWS CAF) security control appearing multiple times in a Courses of Action Matrix
The following table shows each place in the courses of action matrix that each control number appears. You can use the control number for each control to help you prioritize your control implementations. For example, notice that control Sec.Det.1 (Amazon GuardDuty) can provide Detection capabilities in all phases of the intrusion method analysis framework (except Exploit Development).
Table 14 – Controls Mapped to the Intrusion Method
| Detect | Deny | Disrupt | Degrade | Deceive | Contain | Respond | Restore | |
|---|---|---|---|---|---|---|---|---|
| Recon – Pre-Intrusion |
Sec.Det.1 Sec.Det.2 Sec.Inf.2 Sec.Det.6 Sec.Det.3 Sec.Det.4 Sec.Inf.30 Sec.Det.11 Sec.IR.10 |
Sec.Inf.3 Sec.IAM.3 Sec.DP.3 Sec.Inf.10 Sec.Inf.2 Sec.Inf.4 Sec.Inf.30 |
Sec.IR.1 Sec.Inf.30 |
Sec.IR.10 Sec.IR.11 |
Sec.IR.10 Sec.IR.11 Sec.IR.2 |
Sec.IR.10 Sec.IR.11 |
Sec.Inf.2 Sec.IR.1 Sec.Det.2 Sec.Det.4 Sec.Det.7 |
— |
| Recon – Post-Intrusion |
Sec.Det.1 Sec.Det.2 Sec.Det.6 Sec.Det.3 Sec.Det.4 Sec.Inf.30 Sec.Det.11 Sec.IR.10 Sec.IR.11 |
Sec.Inf.3 Sec.IAM.3 Sec.DP.3 Sec.Inf.11 Sec.Inf.11 Sec.IAM.5 Sec.Inf.30 Sec.Inf.32 |
Sec.IR.1 Sec.Inf.30 |
Sec.IR.10 Sec.IR.11 |
Sec.IR.10 Sec.IR.11 Sec.IR.9 |
Sec.IR.10 Sec.IR.11 Sec.IR.9 |
Sec.Inf.2 Sec.IR.1 Sec.Det.2 Sec.Det.4 Sec.Det.7 |
— |
| Exploit Development | — | — | — | — | — | — | — | — |
| Delivery |
Sec.Det.1 Sec.Inf.2 Sec.Inf.13 Sec.Det.8 Sec.Det.9 Sec.Det.10 Sec.Det.11 |
Sec.Inf.3 Sec.Inf.4 Sec.Inf.5 Sec.Inf.6 Sec.Inf.13 Sec.IAM.2 Sec.IAM.4 Sec.IAM.5 Sec.Inf.17 Sec.Inf.18 Sec.Inf.19 Sec.Inf.23 Sec.Inf.24 Platform.5 Sec.Inf.30 Sec.Inf.31 Sec.Inf.32 Sec.DP.5 Sec.DP.6 |
Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.Inf.13 Ops.2 Sec.Inf.30 Sec.Det.9 Sec.Det.10 |
Sec.IR.1 Sec.Inf.13 Sec.Inf.8 Ops.2 |
Sec.IR.10 Sec.IR.11 Sec.IR.2 |
Sec.Inf.1 Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.IAM.4 Sec.Inf.25 Platform.1 Platform.2 Platform.4 Sec.DP.5 |
Sec.Inf.14 Sec.IR.13 Sec.IR.2 Sec.IR.3 Sec.IR.5 Sec.IR.6 Sec.IR.7 Ops.3 Sec.Det.9 Sec.Det.10 |
Sec.Inf.14 Ops.1 Ops.2 |
| Exploitation |
Sec.Det.1 Sec.Det.9 Sec.Det.10 Sec.Det.11 Sec.Inf.2 Sec.Inf.3 Sec.Det.5 Sec.IR.14 Sec.IR.15 Sec.IR.12 Sec.Inf.27 Sec.Inf.28 |
Sec.IAM.1 Sec.DP.7 Sec.Inf.17 Sec.Inf.18 Sec.Inf.19 Sec.Inf.20 Sec.Inf.21 Sec.Inf.22 Sec.Inf.23 Sec.Inf.24 Sec.IR.14 Sec.IR.15 Sec.IR.12 Sec.Inf.27 Sec.Inf.28 Sec.Inf.32 Platform.3 Sec.DP.1 Sec.DP.5 Sec.DP.6 |
Sec.Inf.2 Sec.DP.7 Sec.Inf.17 Sec.Inf.18 Sec.Inf.20 Sec.Inf.21 Sec.Inf.22 Sec.Inf.23 Sec.IR.14 Sec.IR.15 Sec.IR.12 Sec.Inf.30 Ops.2 Sec.DP.5 Sec.DP.6 |
Sec.IR.1 Sec.Inf.1 Sec.Inf.9 Sec.Inf.30 Ops.2 |
Sec.IR.10 Sec.IR.11 Sec.IR.2 |
Sec.IAM.1 Sec.IAM.4 Sec.Inf.17 Sec.Inf.18 Sec.Inf.19 Sec.Inf.23 Sec.Inf.25 Sec.IR.14 Sec.IR.15 Platform.1 Platform.4 Sec.DP.5 |
Sec.Det.2 Sec.Det.11 Sec.IR.14 Sec.IR.15 Sec.Inf.29 Ops.3 Sec.IR.7 |
Sec.Inf.9 Sec.Inf.14 Sec.IR.13 Ops.1 Ops.2 |
| Installation |
Sec.Det.1 Sec.Det.6 Sec.Det.3 Sec.Det.4 Sec.Det.9 Sec.Det.10 Sec.Det.11 Sec.Inf.16 Sec.IR.14 Sec.IR.15 Sec.IR.12 |
Sec.IAM.2 Sec.IAM.4 Sec.IAM.5 Sec.Inf.17 Sec.Inf.18 Sec.Inf.22 Sec.Inf.23 Sec.Inf.26 Sec.Inf.32 Sec.IR.12 Sec.DP.5 Sec.DP.6 |
Sec.Inf.14 Sec.Inf.17 Sec.Inf.18 Sec.Inf.22 Sec.Inf.23 Sec.Inf.26 Sec.IR.13 Sec.IR.12 Sec.DP.6 |
Sec.Inf.8 Sec.Inf.14 Sec.Inf.19 Sec.Inf.26 Sec.IR.13 Ops.2 |
Sec.IR.10 Sec.IR.11 |
Sec.IAM.4 Sec.Inf.17 Sec.Inf.18 Sec.Inf.23 Sec.Inf.25 Sec.IR.14 Sec.IR.15 Platform.1 Platform.4 Sec.DP.5 |
Sec.Inf.14 Sec.Inf.15 Sec.Inf.16 Sec.IR.13 Sec IR.7 |
Sec.Inf.10 Sec.Inf.14 Sec.IR.13 Ops.1 Ops.2 |
| Command and Control |
Sec.Det.1 Sec.Det.6 Sec.Det.3 Sec.Det.4 Sec.Det.11 Sec.Inf.8 Sec.Inf.12 Sec.IR.14 Sec.IR.15 |
Sec.IAM.2 Sec.IAM.4 Sec.IAM.5 Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.IR.14 Sec.IR.15 |
Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.IR.14 Sec.IR.15 Sec.IR.1 Sec.IR.4 Ops.2 |
Sec.IR.1 Sec.IR.4 Ops.2 |
Sec.IR.10 |
Sec.IAM.2 Sec.IAM.4 Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.Inf.25 Sec.Inf.30 Platform.1 Platform.2 Platform.4 |
Sec.IR.14 Sec.IR.15 Sec.Inf.29 Sec.IR.1 Ops.3 |
Sec.Inf.9 Sec.Inf.14 Sec.IR.13 Ops.1 Ops.2 Ops.4 |
| Actions on Objectives |
Sec.Det.1 Sec.Det.6 Sec.Det.3 Sec.Det.4 Sec.Det.11 Sec.Inf.8 Sec.Inf.13 Sec.IR.14 Sec.IR.15 Sec.DP.4 |
Sec.IAM.2 Sec.IAM.4 Sec.IAM.5 Sec.Inf.17 Sec.Inf.18 Sec.Inf.23 Sec.IR.14 Sec.IR.15 Sec.DP.1 Sec.DP.2 |
Sec.IAM.2 Sec.Inf.17 Sec.Inf.18 Sec.Inf.23 Sec.IR.14 Sec.IR.15 Sec.IR.5 Ops.2 |
Sec.IAM.2 Sec.Inf.9 Sec.Inf.17 Sec.Inf.18 Sec.Inf.23 Sec.DP.4 |
Sec.IR.10 |
Sec.IAM.2 Sec.IAM.4 Sec.Inf.3 Sec.Inf.5 Sec.Inf.6 Sec.Inf.25 Platform.1 Platform.4 |
Sec.IR.14 Sec.IR.15 Sec.Inf.29 Sec.IR.1 Ops.3 Sec IR.7 |
Sec.Inf.9 Sec.IR.13 Ops.1 Ops.4 |
Note
**Defined in the 2006 version of JP 3-13, as documented in Mitre, "Characterizing Effects on the Cyber Adversary, A Vocabulary for Analysis and Assessment", https://www.mitre.org/sites/default/files/publications/characterizing-effects-cyber-adversary-13-4173.pdf
