Part 4: Detective Controls in AWS
Security controls can be either technical or administrative. A layered security approach to protecting an organisation’s information assets and infrastructure should include preventative controls, detective controls and corrective controls.
Preventative controls exist to prevent the threat from coming in contact with the weakness. Detective controls exist to identify that the threat has landed in our systems. Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
This post relates to detective controls within AWS Cloud. It’s the fourth in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.
Detective controls in AWS Cloud
AWS detective controls include processing of logs and monitoring of events that allow for auditing, automated analysis, and alarming.
These controls can be implemented using AWS CloudTrail logs to record AWS API calls, Service-specific logs (for Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc) and AWS Config to maintain a detailed inventory of AWS resources and configuration. Amazon CloudWatch is a monitoring service for AWS resources and can be used to trigger CloudWatch events to automate security responses. Another useful tool is Amazon GuardDuty which is a managed threat detection service in AWS and continuously monitors for malicious or unauthorised.
Event Logging
Security event logging is crucial for detecting security threats or incidents. Security teams should produce, keep and regularly review event logs that record user activities, exceptions, faults and information security events. They should collect logs centrally and automatically analysed to detect suspicious behaviour. Automated alerts can monitor key metrics and events related to security. It is critical to analyse logs in a timely manner to identify and respond to potential security incidents. In addition, logs are indispensable for forensic investigations.
The challenge of managing logs
However, managing logs can be a challenge. AWS makes log management easier to implement by providing the ability to define a data-retention lifecycle or define where data will be preserved, archived, or eventually deleted. This makes predictable and reliable data handling simpler and more cost-effective.
The following list recommends use of AWS Trusted Advisor for detecting security threats within the AWS environment. It covers collection, aggregation, analysis, monitoring and retention of logs, and, monitoring security events and billing to detect unusual activity.
The checklist provides best practice for the following:
- Are you using Trusted Advisor?
- How are you capturing and storing logs?
- How are you analysing logs?
- How are you retaining logs?
- How are you receiving notification and alerts?
- How are you monitoring billing in your AWS account(s)?
Best-practice checklist
1. Are you using Trusted Advisor? |
|
2. How are you capturing and storing logs? |
|
3. How are you analysing logs? |
|
4. How are you retaining logs? |
|
5. How are you receiving notification and alerts? |
|
6. How are you monitoring billing in your AWS account(s)? |
|
Refer to the following AWS resources for more details:
- AWS Well-Architected Framework
- What is Amazon CloudWatch Logs?
- Fundamentals of Information Systems Security (David Kim, Michael G. Solomon) Definition of Preventative controls, Detective controls and Corrective controls.
Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
Read Part 1 – Identity and Access management in AWS: best-practice checklist
Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
Read Part 3 – Data protection in AWS: best-practice checklist
Read Part 4 – Detective Controls in AWS: best-practice checklist
Read Part 5 – Incident Response in AWS: best-practice checklist
Let us know in the comments below if we have missed anything in our checklist!
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.
Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.
Editor: Gordon Smith
