Domain 2 of 6 · Chapter 2 of 2

Responding to Security Events

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.

Included in this chapter:

  • Capture evidence first, in the right order
  • Contain, eradicate, recover, in that order
  • Validate scope and find the root cause
  • Respond to compromised credentials
  • Exam-pattern recognition

Which AWS service for each step of responding to an event

Response stepAmazon GuardDutyAWS Security HubAmazon DetectiveAutomated Forensics Orchestrator
Primary roleDetect the threat and raise the findingAggregate and correlate findings, prioritizeInvestigate scope and root causeCapture and isolate forensic artifacts
Lifecycle phase servedDetection and analysisDetection and analysis (triage)Analysis (scope, RCA)Containment and analysis
Works fromCloudTrail, VPC Flow Logs, DNS logsFindings from GuardDuty, Inspector, Macie, checksBehavior graph from CloudTrail and VPC Flow Logs plus ingested findingsSecurity Hub finding plus Step Functions workflow
ProducesA finding such as InstanceCredentialExfiltrationA prioritized, deduplicated finding inventoryFinding groups and a behavior graph for RCAEBS snapshot and memory image in a forensics account

Decision tree

Evidence preserved yet?memory + EBS snapshotCapture firstmemory, then snapshotWhat is compromised?then actCredentials: which kind?session vs long-term keyRunning EC2 instanceNo-rules SG + deny-all NACLtag quarantineNeed scope / root causeSecurity Hub correlate,Detective behavior graphRevoke sessionsAWSRevokeOlderSessionsinstance-role sessionDelete the keydeactivate + deletelong-term access keyAlways: store evidence write-onceseparate forensics account, S3 Object LockNoYescapture donecredentialslive hostinvestigatesessionkey

Cheat sheet

  • Preserve evidence before you contain or clean up
  • Capture memory before disk
  • Isolate an instance with a no-rules security group plus a deny-all NACL
  • A security group is stateful, so it won't drop an attacker's open session; a NACL will
  • Containment, eradication, and recovery answer three different questions
  • Recovery rebuilds from known-good, it does not un-isolate the compromised host
  • GuardDuty detects, Security Hub aggregates, Detective investigates
  • Use Amazon Detective to validate scope and find the root cause
  • Detective finding groups cluster related findings into one incident
  • Search and correlate logs in Security Hub, build automation there
  • Revoke the role's sessions when instance credentials are used from outside
  • Revoking sessions attaches AWSRevokeOlderSessions keyed on aws:TokenIssueTime
  • A leaked long-term access key is deactivated and deleted, not revoked
  • A compromised root needs password, keys, and MFA all rotated
  • Store forensic evidence in a separate account
  • Lock evidence write-once with S3 Object Lock compliance mode
  • Automated Forensics Orchestrator runs the capture and isolation flow for you
  • Eradication closes the entry point, not just the symptom
  • EventBridge needs kms:GenerateDataKey + kms:Decrypt on the topic key to publish to an encrypted SNS topic
  • A cross-account SNS/SQS subscriber on an encrypted topic must be granted KMS key permissions too
  • Centralized remediation Lambda/runbook must assume a pre-created IAM role in each member account
  • Query CloudTrail logs already in S3 with Amazon Athena to scope an incident fast
  • A CloudTrail Lake organization event data store lets a delegated admin run SQL across all accounts
  • CloudTrail Lake logs management events only until you add advanced event selectors for data events
  • One-year extendable retention reaches ~10 years; constrain queries by eventTime to control cost
  • Import or copy existing S3 trail logs into CloudTrail Lake to investigate past events
  • Use an AWS Config aggregator advanced query to size an org-wide misconfiguration's blast radius
  • AWS Config's configuration timeline links each change to the CloudTrail event and principal that made it
  • A Detective investigation auto-generates a report of IoCs and MITRE ATT&CK TTPs for an IAM user or role
  • Query Systems Manager Inventory (Windows update/registry types) to validate which hosts a finding really affects
  • CloudTrail S3 data events arrive in ~5 minutes; S3 server access logs are best-effort and can lag hours
  • Security Hub/GuardDuty findings carry ASFF resource details you pivot on to find all affected resources
  • Share encrypted EBS snapshots to a forensic account by re-encrypting under a shared customer managed key

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. AWS Security Incident Response Guide Whitepaper
  2. Remediating a potentially compromised Amazon EC2 instance
  3. AWS Backup Vault Lock
  4. AWS service integrations with Security Hub CSPM
  5. What is Amazon Detective?
  6. Analyzing finding groups (Amazon Detective)
  7. Revoke IAM role temporary security credentials