Data protection - AMS Accelerate Operations Plan

Data protection

AMS Accelerate continuously monitors your managed accounts by leveraging native AWS services such as Amazon GuardDuty, Amazon Macie (optionally), and other internal proprietary tools and processes. After an alarm is triggered, AMS Accelerate assumes responsibility for the initial triage and response to the alarm. Our response processes are based on NIST standards. AMS Accelerate regularly tests its response processes using Security Incident Response Simulation with you to align your workflow with existing customer security response programs.

When AMS Accelerate detects any violation, or imminent threat of violation, of AWS or your security policies, we gather information, including impacted resources and any configuration-related changes. AMS Accelerate provides 24/7/365 follow-the-sun support with dedicated operators actively reviewing and investigating monitoring dashboards, incident queue, and service requests across all of your managed accounts. AMS Accelerate investigates the findings with our security experts to analyze the activity and notify you through the security escalation contacts listed in your account.

Based on our findings, AMS Accelerate engages with you proactively. If you believe the activity is unauthorized or suspicious, AMS works with you to investigate and remediate or contain the issue. There are certain finding types generated by GuardDuty that require you to confirm the impact before AMS Accelerate is able to take any action. For example, the GuardDuty finding type UnauthorizedAccess:IAMUser/ConsoleLogin, indicates that one of your users has logged in from an unusual location; AMS notifies you and asks that you review the finding to confirm if this behavior is legitimate.

Amazon Macie

We recommend, and AMS Accelerate supports, Macie to detect a large and comprehensive list of sensitive data, such as personal health information (PHI), personally identifiable information (PII), and financial data.

Macie can be configured to run periodically on any Amazon S3 bucket, automating the evaluation of any new or modified objects within a bucket over time. As security findings are generated, AMS will notify you and work with you to remediate as needed.

For more information, see Analyzing Amazon Macie findings.

GuardDuty

GuardDuty is a continuous security monitoring service that uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses, or domains. GuardDuty also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that has never been used, or unusual API calls, like a password policy change to reduce password strength. For more information, refer to the GuardDuty User Guide.

To view and analyze your GuardDuty findings, use the following procedure.

  1. Open the GuardDuty console.

  2. Choose Findings, and then choose a specific finding to view details. The details for each finding differ depending on the finding type, resources involved, and nature of the activity.

For more information on available finding fields, see GuardDuty finding details.

GuardDuty suppression rules

A suppression rule is a set of criteria, consisting of a filter attribute paired with a value, used to filter findings by automatically archiving new findings that match the specified criteria. Suppression rules can be used to filter low-value findings, false positive findings, or known activities, you do not intend to act on, to make it easier to recognize the security threats with the most impact to your environment.

AMS has a defined set of criteria to identify suppression rules for your managed accounts. AMS implements suppression rule to filter false positive findings and reduce frequent unactionable notifications. When a managed account meets this criteria, AMS will apply the filters and notify you with the details of the suppression filter deployed via a service request (SR).

You can communicate with AMS via a service request (SR) to modify or revert the suppression filters.

Suppressed findings are not sent to AWS Security Hub, Amazon S3, or CloudTrail Events, reducing finding of unactionable data if you consume GuardDuty findings via Security Hub or a third-party SIEM, alerting and ticketing applications.

GuardDuty continues to generate findings even when they match your suppression rules, however, those findings automatically marked as archived. The archived finding is stored in GuardDuty for 90-days and can be viewed at any time during that period. You can view suppressed findings in the GuardDuty console by selecting Archived from the findings table, or through the GuardDuty API using the ListFindings API with a findingCriteria of service.archived equal to true.

Common Use Cases for Suppression Rules:

The following are finding types with common use cases for applying suppression rules, select the finding name to learn more about how to apply a suppression rules for that use case.

  • Recon:EC2/Portscan: Use a suppression rule to automatically archive findings when using an autorized vulnerability scanner.

  • UnauthorizedAccess:EC2/SSHBruteForce: Use a suppression rule to automatically archive findings when it is targeted to bastion instances.

  • Recon:EC2/PortProbeUnprotectedPort: Use a suppression rule to automatically archive findings when it is targeted to intentionally exposed instances.

Data encryption

AMS Accelerate uses several AWS services for data encryption.

Amazon Simple Storage Service offers several object encryption options that protect data in transit and at rest. Server-side encryption encrypts your object before saving it on disks in its data centers and then decrypts it when you download the objects. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For more information, see Data protection in Amazon S3.