Using Automation as a Response to Incident Response – Incident Response – SCS-C02 Study Guide

Using Automation as a Response to Incident Response

AWS has several tools that allow you to automate security responses with human intervention and without it.

As you saw in the previous example, using Systems Manager Incident Manager and predefined runbooks allows a team member on the contact list to execute predetermined steps and procedures.

Other options can be executed without the engagement of any team members. These include AWS Lambda and AWS Step Functions.

A Real-Life Example of Automated Incident Response

To put what you have just learned about automated IR into context using a real-life example, you will now automate something discussed earlier in this chapter—a case when AWS access keys get exposed publicly. Using a combination of the Personal Health Dashboard, AWS EventBridge, Lambda Functions, and AWS Step Functions, you can see how an automated response can be created if this happens.

Figure 4.23: Security Incident Response Automation using AWS Step Functions

The following will walk you through the sequence of events referenced in the architectural diagram in Figure 4.23:

  1. The event in this scenario is any access key that is publicly exposed. This can happen if a developer accidentally uploads their credentials to one of the popular code repositories monitored by AWS, such as GitHub.
  2. When this happens, the AWS Health API discovers the key and generates an AWS_RISK_CREDENTIALS_EXPOSED CloudWatch event. At the same time, AWS will also limit the API calls that the exposed key can temporarily make.
  3. Your AWS EventBridge has already been configured to be on the watch for this event, and the rule is set to start AWS Step Functions if the rule is triggered.
  4. The initial Lambda in the Step Function will access the IAM service and delete the exposed key pair, mitigating any future damage.
  5. The Step Function then moves on to the second Lambda function that will gather up the API activity for that key for a specified period of time (it could be 24 hours, or it could be all the records in the current CloudTrail log file). Those records are then made into a summarization digest to pass onto the last Lambda function.
  6. The final Lambda function takes the output from the previous function in the Step Function and then adds that as the message to a specified topic using the AWS SNS service. Any administrator subscribed to that service can quickly look at the message to see what activity has happened with the key and know they will have to create a new key pair for the previously deleted set.

You just saw how alerts and automation can be used to quickly respond to an incident without the need for human intervention. You should now feel more confident in your understanding and skills of IR to security incidents within AWS environments.

Summary

This chapter examined the first domain of the AWS Certified Security – Specialty certification: IR. You were given a brief overview of two significant articles published on this topic: Security Pillar – Well-Architected Framework and AWS Incident Response whitepaper.

You learned how to detect events that may need to be addressed by your IR team, both from a logging and an alerting perspective.

You also looked at how using native tools such as AWS System Manager can help automate the response when an incident has been detected and can contact pre-defined personnel and track the progress of the incident. Finally, you saw how different IR operation procedures could be implemented from either a human intervention standpoint or using automation.

In the next chapter, you will look at another tool used in IR, AWS Config. It can help you become more proactive and show what changes are made to a specific resource.