MLSEC-13: Monitor human interactions with data for anomalous activity

Ensure that data access logging is enabled. Audit for anomalous data access events, such as access events from abnormal locations, or activity exceeding the baseline for that entity. Use services and tools that support anomalous activity alerting, and combine their use with data classification to assess risk. Evaluate using services to aid in monitoring data access events.

Implementation plan

• Enable data access logging - Verify that you have data access logging for all human CRUD (create, read, update, and delete) operations, including the details of who accessed what elements, what action they took, and at what time.

• Classify your data - Use Amazon Macie for protecting and classifying training and inference data in Amazon S3. Amazon Macie is a fully managed security service. It uses ML to automatically discover, classify, and protect sensitive data in AWS. The service recognizes sensitive data, such as personally identifiable information (PII) or intellectual property.

• Monitor and protect - Use Amazon GuardDuty to monitor for malicious and unauthorized activities. This will enable protecting AWS accounts, workloads, and data stored in Amazon S3.

  Documents

• Amazon SageMaker Incident Response - Logging & Monitoring

• Amazon GuardDuty S3 Finding Types - which aid in anomaly detection for S3 resource access events.

Blogs

• Building a Self-Service, Secure, & Continually Compliant Environment on AWS

• How to Use New Advanced Security Features for Amazon Cognito user pools

• Best practices for setting up Amazon Macie with AWS Organizations

Videos

• Protect Your Data in S3 with Amazon Macie and Amazon GuardDuty - AWS Online Tech Talks

• AWS re:Invent 2020: Protecting sensitive data with Amazon Macie and Amazon GuardDuty

Examples

• Controlling and auditing data exploration activities with Amazon SageMaker Studio and AWS Lake Formation