Responsive controls - AWS Prescriptive Guidance

Responsive controls

Responsive controls are security controls that are designed to drive remediation of adverse events or deviations from your security baseline. Examples of technical responsive controls include patching a system, quarantining a virus, shutting down a process, or rebooting a system.

Review the following about this type of control:

Objectives

  • Responsive controls can help you create runbooks for common types of attacks, such as phishing or brute force.

  • Responsive controls can implement automated responses to potential security issues.

  • Responsive controls can automatically remediate unintended or unapproved actions on AWS resources, such as deleting unencrypted S3 buckets.

  • Responsive controls can be orchestrated to work with preventative and detective controls to create a holistic and proactive approach for addressing potential security incidents.

Process

Detective controls are a prerequisite for establishing responsive controls. You must be able to detect the security issue before you can remediate it. You can then establish a policy or response to the security issue. For example, in the event of a brute force attack, a remediation process would be implemented. After the remediation process exists, it can then be automated and run as a script by using a programming language, such as a shell script.

Consider whether the responsive control might break an existing production workload. For example, if the detective security control is S3 buckets must not be publicly accessible and the remediation is turn off public access for Amazon S3, this could have significant implications for your company and its customers. If the S3 bucket is serving a public website, turning off public access could create an outage. Databases are a similar example. If a database must not be publicly accessible through the internet, turning off public access could affect connectivity to the application.

Use cases

  • Automatic response to detected security events

  • Automatic remediation of detected security vulnerabilities

  • Automated recovery control to reduce operational downtime

Technology

Security Hub

AWS Security Hub automatically sends all new findings and all updates of existing findings to EventBridge as events. You can also create custom actions that send selected findings and insight results to EventBridge. You can configure EventBridge to respond to each type of event. The event can initiate an AWS Lambda function that performs the remediation action.

AWS Config

AWS Config uses rules to evaluate your AWS resources and helps you remediate noncompliant resources. AWS Config applies remediation using AWS Systems Manager Automation. In Automation documents, you define the actions that you want to perform on resources that AWS Config determines to be noncompliant. After you create Automation documents, you can use them in Systems Manager through the AWS Management Console or by using APIs. You can choose to either manually or automatically remediate noncompliant resources.

Business outcomes

Minimize data loss

After a cybersecurity incident, using responsive security controls can help minimize data loss and damage to the system or network. Responsive controls can also help restore critical business systems and processes as quickly as possible, adding to the resilience of your workloads.

Reduce cost

Automation reduces costs associated with human resources because team members don't have to manually respond to incidents or otherwise manage them on a case-by-case basis.