Prepare Access to AWS Accounts - AWS Security Incident Response Guide

Prepare Access to AWS Accounts

During an incident, your incident response teams must have access to the environments and resources involved in the incident. Make sure that your teams have appropriate access to perform their duties before an event occurs. To do that, you must know what level of access your team members require (for example, what kinds of actions they are likely to take) and you must provision access in advance. This access is derived from your company’s governance, risk management, and compliance (GRC) policies. Your team members’ authentication and authorization should be documented and tested well before an event occurs to make sure they can perform a timely response without delays. To respond to an incident correctly, part of your preparation should be a review of how the AWS accounts are laid out and how the cross-account roles are allowed and organized.

At this stage, you must work closely with your developers, architects, partners, governance teams, and compliance teams to understand what level of access is necessary for responders. Identify and discuss the AWS account strategy and cloud identity strategy with your organization's cloud architects to understand what authentication and authorization methods are configured, for example:

  • Federation – A user assumes an IAM role in an AWS account from an Identity Provider.

  • Cross-account access – A user assumes an IAM role between multiple AWS accounts.

  • Authentication – A user authenticates as an AWS IAM user created within a single AWS account.

These options define the technical choices for authentication to AWS, and how you can gain access during a response, but some organizations might rely on another team or a partner to assist in the response. User accounts that are created specifically to respond to a security incident are often privileged in order to provide sufficient access. Therefore, use of these user accounts should be restricted, and they should not be used for daily activities.

Before you create new access mechanisms, work with your cloud teams to understand how your AWS accounts are organized and governed. Many customers use AWS Organizations to help centrally manage billing, share resources across their AWS accounts, and control access, compliance, and security. A core feature of Organizations is that it can be leveraged to apply Service Control Policies to groups of accounts, which enables you to gain policy management at scale. For additional information about implementing governance mechanisms at scale, see AWS Governance at Scale. After you understand how your organization has organized and governed your AWS accounts, consider the following generalized response patterns to assist in identifying which approaches are right for your organization.