Incident Response - AWS Well-Architected Framework

Incident Response

SEC 10  How do you anticipate, respond to, and recover from incidents?

Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.

Best Practices:

  • Identify key personnel and external resources: Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident.

  • Develop incident management plans: Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.

  • Prepare forensic capabilities: Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation.

  • Automate containment capability: Automate containment and recovery of an incident to reduce response times and organizational impact.

  • Pre-provision access: Ensure that incident responders have the correct access pre-provisioned into AWS to reduce the time for investigation through to recovery.

  • Pre-deploy tools: Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.

  • Run game days: Practice incident response game days (simulations) regularly, incorporate lessons learned into your incident management plans, and continuously improve.