SEC10-BP06 Pre-deploy tools
Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.
To automate security engineering and operations functions, you can use a comprehensive set
of APIs and tools from AWS. You can fully automate identity management, network security, data
protection, and monitoring capabilities and deliver them using popular software development
methods that you already have in place. When you build security automation, your system can
monitor, review, and initiate a response, rather than having people monitor your security
position and manually react to events. An effective way to automatically provide searchable and
relevant log data across AWS services to your incident responders is to turn on Amazon Detective
If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.
You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then run that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.
For tools that run within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which allows you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.
Level of risk exposed if this best practice is not established: Low
Implementation guidance
-
Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed in AWS so that an appropriate response can be made to an incident.
-
Implement resource tagging: Tag resources with information, such as a code for the resource under investigation, so that you can identify resources during an incident.
Resources
Related documents:
Related videos: