Options for Automating Response - AWS Security Incident Response Guide

Options for Automating Response

It is important to make sure that you balance the enterprise implementation and organization structure. Figure 4 illustrates the differences in technical attributes for each automated response option in your AWS implementation with a radar chart. In the chart, the further the technical attribute moves from the center of the chart, the greater the strength of that technical attribute for the corresponding automation response. For example, AWS Lambda offers more speed and requires a less technical skillset. AWS Fargate offers more flexibility and requires less maintenance and technical skillset. Table 1 provides an overview of these automation options and a summary of the technical attributes of each.



Differences in technical attributes across automated
          response approaches

Figure 4: Differences in technical attributes across automated response approaches

Table 1: Options for automated response

AWS Service or Feature Description Attributes Summary*
AWS Lambda System using AWS Lambda only, using your organizations enterprise language.

Speed

Flexibility

Maintenance

Skillset

AWS Step Functions System using AWS Step Functions, Lambda, and SSM Agent.

Speed

Flexibility

Maintenance

Skillset

Auto Remediation with AWS Config Rules Set of AWS Config Rules and auto remediations that evaluate the environment and push it back into the approved specification.

Maintenance & Skillset

Speed & Flexibility

SSM Agent Set of automation rules and documents reviewing many pieces of the environments and internal systems and making corrections.

Maintenance & Skillset

Speed

Flexibility

AWS Fargate AWS Fargate system using open source step function code and the events from Amazon CloudWatch, and other systems, to drive detection and remediation.

Flexibility

Speed

Maintenance & Skillset

Amazon EC2 A system running on a full instance, similar to the AWS Fargate option.

Flexibility

Speed

Maintenance

Skillset

* Attributes are listed in descending order for each service or feature. For example, AWS Lambda offers more speed and requires less technical skillset. AWS Fargate offers more flexibility, and requires less maintenance and technical skillset.

As you consider these automation options in your AWS environment, you also need to consider centralization and scan period (events per second [EPS]).

Centralization refers to a central account that drives all of the detection and remediation for an organization. This approach may seem like the best choice out-of-the-box, and it is the current best practice. However, some circumstances require that you deviate from this approach, and understanding when depends on how you handle your subordinate accounts. We encourage you to get started by leveraging the approach of the Security Tooling account in the Multi-Account Framework in AWS Organizations or AWS Control Tower.

Table 2: Pros and cons of centralization

Centralization Decentralization
Pros

Simple configuration management

Unable to cancel or modify response

Simple architecture

Faster initial setup

Cons

Increased complexity in architecture

Onboarding/offboarding accounts and resources

More resources to manage

Difficulty maintaining a software baseline

A cost comparison for these implementations may also drive your enterprise decision in determining the best option. Events per second (EPS) is the metric that you use to best estimate cost. It may, in the end, be far easier and cheaper to use centralized or decentralized approaches, but it is impossible for us to review how you will evaluate that cost specifically in your account. Make sure to consider EPS when sending those events to a central account to be responded to. The more EPS, the higher the cost of sending those events to a centralized account.