AWS Well-Architected best practices important for detection

Posted by Ben Potter on Sunday, January 10, 2021


What is detection?

You can use detective controls to identify a potential security threat or incident. They are an essential part of governance frameworks and can be used to support a quality process, a legal or compliance obligation, and for threat identification and response efforts. There are different types of detective controls. For example, conducting an inventory of assets and their detailed attributes promotes more effective decision making (and lifecycle controls) to help establish operational baselines. You can also use internal auditing, an examination of controls related to information systems, to ensure that practices meet policies and requirements and that you have set the correct automated alerting notifications based on defined conditions. These controls are important reactive factors that can help your organization identify and understand the scope of anomalous activity.

In AWS, you can implement detective controls by processing logs, events, and monitoring that allows for auditing, automated analysis, and alarming. CloudTrail logs, AWS API calls, and CloudWatch provide monitoring of metrics with alarming, and AWS Config provides configuration history. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. Service-level logs are also available, for example, you can use Amazon Simple Storage Service (Amazon S3) to log access requests.

How do you detect and investigate security events?

The AWS Well-Architected question related to detection is How do you detect and investigate security events? You need to capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.

The best practices are:

Configure service and application logging: Configure logging throughout the workload, including application logs, resource logs, and AWS service logs. For example, ensure that AWS CloudTrail, Amazon CloudWatch Logs, Amazon GuardDuty and AWS Security Hub are enabled for all accounts within your organization.

Analyze logs, findings, and metrics centrally: All logs, metrics, and telemetry should be collected centrally, and automatically analyzed to detect anomalies and indicators of unauthorized activity. A dashboard can provide you easy to access insight into real-time health. For example, ensure that Amazon GuardDuty and Security Hub logs are sent to a central location for alerting and analysis.

Automate response to events: Using automation to investigate and remediate events reduces human effort and error, and enables you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. For example, automate responses to Amazon GuardDuty events by automating the first investigation step, then iterate to gradually remove human effort.

Implement actionable security events: Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For example, ensure that Amazon GuardDuty and AWS Security Hub alerts are sent to the team to action, or sent to response automation tooling with the team remaining informed by messaging from the automation framework.

Take Action

The most important first steps:

  1. Configure trail in CloudTrail: Configuring a trail enables you to store logs for longer than the default period, and analyze them later. Ideally your CloudTrail logs should be stored in S3, in an account dedicated to storing critical logs. The reason is someone might accidentally or deliberately delete your critical logs, if they are in a separate dedicated account you can simply grant read only access if necessary. Creating a trail in CloudTrail Lab: Automated Deployment of Detective Controls

  2. Configure Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously looks for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Enable GuardDuty and configure automated alerts to email using the lab. Amazon GuardDuty Lab: Automated Deployment of Detective Controls

  3. Enable AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were previously configured so that you can see how the configurations and relationships change over time. AWS Config Lab: Automated Deployment of Detective Controls

Next steps:

  1. Enable logging of AWS services: Enable the logging of AWS services to meet your requirements. Logging capabilities include the following: VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs. AWS Answers: native AWS security-logging capabilities

  2. Enable logging of operating systems and application-specific: Evaluate and enable logging of operating systems and application-specific logs to detect suspicious behavior. Getting started with CloudWatch Logs Developer Tools/Log Analysis

  3. Enable AWS Security Hub: AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you check your compliance with the security industry standards and best practices. Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. AWS Security Hub

  4. As a start for analyzing CloudTrail logs, test Amazon Athena Configuring Athena to analyze CloudTrail logs

  5. Implement centralize logging in AWS: AWS example solution to centralize logging from multiple sources. Centralize logging solution

  6. Discover metrics available for AWS services: Discover the metrics that are available through CloudWatch for the services that you are using. Create alarms to alert when thresholds are exceeded, for example an instance with abnormally high network bandwidth might indicate a denial of service. Using Amazon CloudWatch Metrics Using Amazon CloudWatch Alarms

Further reading: AWS Well-Architected Security Pillar