SEC04-BP03 Automate response to events
Using automation to investigate and remediate events reduces human effort and error, and allows you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate.
In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis.
Detecting change and routing this information to the correct workflow can also be
accomplished using AWS Config Rules and Conformance Packs. AWS Config detects changes to in-scope services (though with higher
latency than EventBridge) and generates events that can be parsed using AWS Config Rules for rollback, enforcement
of compliance policy, and forwarding of information to systems, such as change management
platforms and operational ticketing systems. As well as writing your own Lambda functions to
respond to AWS Config events, you can also take advantage of the AWS Config Rules Development Kit
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
-
Implement automated alerting with GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Turn on GuardDuty and configure automated alerts.
-
Automate investigation processes: Develop automated processes that investigate an event and report information to an administrator to save time.
Resources
Related documents:
Related videos:
Related examples: