Part 4: Detective Controls in AWS
By Neha Thethi, Information Security Analyst, BH Consulting
Security controls can be either technical or administrative. A layered security approach to protecting an organization’s information assets and infrastructure should include preventative controls, detective controls and corrective controls.
Preventative controls exist to prevent the threat from coming in contact with the weakness. Detective controls exist to identify that the threat has landed in our systems. Corrective controls exist to mitigate or lessen the effects of the threat being manifested.
This post relates to detective controls within AWS Cloud. It’s the fourth in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.
Detective controls in AWS Cloud
AWS detective controls include processing of logs and monitoring of events that allow for auditing, automated analysis, and alarming.
These controls can be implemented using AWS CloudTrail logs to record AWS API calls, Service-specific logs (for Amazon S3, Amazon CloudFront, CloudWatch logs, VPC flow logs, ELB logs, etc) and AWS Config to maintain a detailed inventory of AWS resources and configuration. Amazon CloudWatch is a monitoring service for AWS resources and can be used to trigger CloudWatch events to automate security responses. Another useful tool is Amazon GuardDuty which is a managed threat detection service in AWS and continuously monitors for malicious or unauthorized.
Security event logging is crucial for detecting security threats or incidents. Security teams should produce, keep and regularly review event logs that record user activities, exceptions, faults and information security events. They should collect logs centrally and automatically analysed to detect suspicious behavior. Automated alerts can monitor key metrics and events related to security. It is critical to analyse logs in a timely manner to identify and respond to potential security incidents. In addition, logs are indispensable for forensic investigations.
The challenge of managing logs
However, managing logs can be a challenge. AWS makes log management easier to implement by providing the ability to deﬁne a data-retention lifecycle or deﬁne where data will be preserved, archived, or eventually deleted. This makes predictable and reliable data handling simpler and more cost-eﬀective.
The following list recommends use of AWS Trusted Advisor for detecting security threats within the AWS environment. It covers collection, aggregation, analysis, monitoring and retention of logs, and, monitoring security events and billing to detect unusual activity.
- Are you using Trusted Advisor?
- How are you capturing and storing logs?
- How are you analyzing logs?
- How are you retaining logs?
- How are you receiving notification and alerts?
- How are you monitoring billing in your AWS account(s)?
|1. Are you using Trusted Advisor?||
|2. How are you capturing and storing logs?||
|3. How are you analyzing logs?||
|4. How are you retaining logs?||
|5. How are you receiving notification and alerts?||
|6. How are you monitoring billing in your AWS account(s)?||
Refer to the following AWS resources for more details:
- AWS Well-Architected Framework
- What is Amazon CloudWatch Logs?
- Definition of Preventative Controls, Detective Controls and Corrective Controls – Fundamentals of Information Systems Security (David Kim, Michael G. Solomon)
Next up in the blog series, is Part 5 – Incident Response in AWS – best practice checklist. Stay tuned. Let us know in the comments below if we have missed anything in our checklist!
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only.