Security recommendations for responding to incidents - AWS Prescriptive Guidance

Security recommendations for responding to incidents

When a security event occurs in your organization, your users must be prepared to respond to the issue. All users should have a basic understanding of your organization's security response processes. Planning, training, and experience are critical to a successful incident response program. Ideally, you prepare your organization before a potential security event occurs. The AWS Well-Architected Framework identifies three foundations that are required for a successful incident response program in the cloud: preparation, operations, and post-incident activity. For more information, see Aspects of AWS incident response in the AWS Well-Architected Framework.

With the exception of security controls that notify you about events or automatically respond to them, there are limited controls that you can establish for incident response. A strong incident response posture is primarily established through the plans, processes, runbooks, playbook, and training programs that you use in your organization. You can use the controls and recommendations in this section to implement best practices for your incident response program. For more information about best practices for incident response and implementation guidance, see Incident response in the AWS Well-Architected Framework.

Define an incident response plan

Establish a well-defined incident response plan (IRP). The incident response plan is designed to be the foundation for your incident response program. This plan must be customized to address the needs of each organization.

For more information, see the following resources:

Create and maintain incident response runbooks and playbooks

A key part of preparing for an incident response processes is developing playbooks. Incident response playbooks provide a series of recommended steps that users follow when a security event occurs. Having a clear structure and steps simplifies the response and reduces the likelihood for human error.

For more information, see the following resources:

Implement event-driven security automation

Security response automation is a predefined and programmed action that is designed to automatically respond to or remediate a security event. These automations serve as detective or responsive security controls that help you implement AWS security best practices. Examples of automated response actions include modifying a VPC security group, patching an Amazon EC2 instance, or rotating credentials.

Many AWS services support automated responses. For example, you can configure an Amazon CloudWatch alarm for specific metrics, and the alarm can initiate action when the alarm changes state. Through Amazon EventBridge, you can also configure automated response and remediation for findings in AWS Security Hub and Amazon Inspector.

For more information please see the below resources:

Document how operational teams should engage with AWS Support

For your AWS account, you can define a primary contact and three alternate contacts. We recommend that you provide a security contact for each AWS account or for your organization.

AWS Support offers a range of plans that provide access to tools and expertise that can support the success and operational health of AWS solutions. Also, consider whether your organization would benefit from using AWS Managed Services instead of an AWS Support plan. AWS Managed Services (AMS) helps you operate more efficiently and securely by providing ongoing management of your AWS infrastructure, including monitoring, incident management, security guidance, patch support, and backup for AWS workloads. The AMS support model can be a better fit for organizations that have limited resources on their cloud operations teams. We recommend that you compare these models and plans to choose the best fit for your organization use case and cloud maturity level.

For more information, see the following resources:

Configure alerts for security events

Detecting an abnormality is as important as the measures implemented to control that abnormality. An alert is the main component of the detection phase. It generates a notification to initiate the incident response process based on AWS account activity of interest. Make sure that alerts include relevant information for the team to take action.

For more information, see the following resources: