Even with extremely mature preventive and detective controls, your organization should still put processes in place to respond to and mitigate the potential impact of security incidents. The architecture of your workload strongly affects the ability of your teams to operate effectively during an incident, to isolate or contain systems,and to restore operations to a known good state. Putting in place the tools and access ahead of a security incident, then routinely practicing incident response through game days, will help you ensure that your architecture can accommodate timely investigation and recovery.
In AWS, the following practices facilitate effective incident response:
Detailed logging is available that contains important content, such as file access and changes.
Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs.
You can pre-provision tooling and a “clean room” using AWS CloudFormation. This allows you to carry out forensics in a safe, isolated environment.
SEC 11: How do you respond to an incident?
Preparation is critical to timely investigation and response to security incidents to helpminimize potential disruption to your organization.
Ensure that you have a way to quickly grant access for your InfoSec team, andautomate the isolation of instances as well as the capturing of data and state forforensics.