SEC04-BP04 Implement actionable security events

Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you use Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.

Level of risk exposed if this best practice is not established: Low

Implementation guidance

• Discover metrics available for AWS services: Discover the metrics that are available through Amazon CloudWatch for the services that you are using.

  • AWS service documentation

  • Using Amazon CloudWatch Metrics

• Configure Amazon CloudWatch alarms.

  • Using Amazon CloudWatch Alarms

Resources

Related documents:

• Amazon CloudWatch

• Amazon EventBridge

• Security Partner Solutions: Logging and Monitoring

Related videos:

• Centrally Monitoring Resource Configuration and Compliance

• Remediating Amazon GuardDuty and AWS Security Hub Findings

• Threat management in the cloud: Amazon GuardDuty and AWS Security Hub