SEC09-BP03 Automate detection of unintended data access
Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts
to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read
activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to
GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can
be used with Amazon EventBridge to detect connections, both
successful and denied. Amazon S3 Access Analyzer
Level of risk exposed if this best practice is not established: Medium
Implementation guidance
-
Automate detection of unintended data access: Use a tool or detection mechanism to automatically detect attempts to move data outside of defined boundaries, for example, to detect a database system that is copying data to an unrecognized host.
-
Consider Amazon Macie: Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Resources
Related documents: