DEV Community

Cover image for AWS Certified Security - Specialty | Incident response (notes)
Oleg Chursin
Oleg Chursin

Posted on

AWS Certified Security - Specialty | Incident response (notes)

While getting ready to sit AWS Certified Security - Specialty exams, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Let's start with Incident Response in this post.

Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.

Your AWS account has been compromised. Your immediate actions.

  • Change your AWS account root user password.
  • Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
  • Delete any potentially compromised IAM users, and change the password for all other IAM users.
  • Delete any resources on your account you didn’t create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.

Isolate any compromised instances so that they cannot communicate with any other instances in your VPC or with any third party command and control server.

Create a restrictive Security Group which only allows SSH from a single forensic workstation. Use Lambda to replace the existing Security Group with the newly created restrictive Security Group as soon as the instance is detected as being compromised. You cannot apply a Network ACL to an instance because ACLs apply to the whole subnet.

Enable CloudTrail logging in all regions where you currently have AWS infrastructure

Enable multi-region CloudTrail. You can configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. When a new region launches in the AWS partition, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.

Service that uses machine learning to help monitor malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3.

Amazon GuardDuty is the only solution that that uses machine learning to help monitor malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3. It has a build-in list of suspect IP addresses and you can also upload your own lists of IPs. GuardDuty can trigger CloudWatch events which can then be used for a variety of activities like notifications or automatically responding to a threat. AWS Macie is a service to discovery and classify potentially sensitive information. CloudWatch alone lacks the business rules that are provided with GuardDuty.

Quickly block this malicious activity from a specific range of IP addresses.

Create a Network ACL to deny access to any traffic coming from this IP range. A Network Access Control List is an optional layer of security for your VPC which acts as a firewall, controlling traffic in and out of one or more subnets. Security Groups cannot be used to explicitly deny traffic from a known IP range. Flow Logs are used to monitor network traffic, but cannot be used to block traffic. GuardDuty only detects malicious activity, it cannot block traffic.

Restrict user ability to launch EC2 instances and change Security Group settings at any time.

Implement event based security using CloudTrail and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. CloudWatch Events can respond to unauthorized actions detected by CloudTrail and send SNS notifications to report security breaches.

IDS/IPS - intrusion detection systems, intrusion prevention systems.

If you are running a third-party IDS/IPS on EC2 and want to configure your IDS system to trigger an automated response to contain an attack by immediately shutting down affected systems if an intrusion is detected, you should send the IDS application logs to CloudWatch Logs, use CloudWatch to send an SNS notification alerting you of any incidents. Use Lambda to shut down affected systems.

Discussion (0)