AWS Cloud Operations Blog

Best practices to respond to security risks across AWS Organizations

Responding to security findings is important for maintaining the security posture of your Amazon Web Service (AWS) environment. By promptly addressing identified vulnerabilities, misconfigurations, or potential threats, you can mitigate risks, protect your data and resources, and help ensure compliance with industry standards and regulatory requirements. As shown in Image 1, effective incident response follows a systematic approach of identifying, detecting, investigating, prioritizing, and resolving security findings. By analyzing these incidents and implementing preventive measures based on past findings, organizations can continuously strengthen their security posture and reduce future vulnerabilities.

Image 1: Lifecycle of security risk management

Image 1: Lifecycle of security risk management

In this four-part series of blog posts, three of which we recently published to provide guidance for identifying risks across AWS resources, protecting your AWS resources, and centrally detecting the security findings across your multi-account environment. The guidance in these posts helps you prepare for managing the security risks in your organization centrally. These posts provide practical examples and guidance aligned to the AWS Security Reference Architect (AWS SRA). In this final part, we will explore how—after implementing a strategy to identify security findings across your AWS environment—you can prioritize, respond to, and implement automated controls efficiently, enabling you to promptly address potential vulnerabilities and maintain a robust security posture. You’ll learn how you can implement these remediation actions across your multi-account environment at scale.

Prerequisites

For this post, you must be familiar with AWS Organizations and multi-account strategy concepts.

The following prerequisites are optional. By implementing these two items, you can effectively implement and manage the security controls outlined in this post; or you can proceed without them and adapt the guidance to your specific environment.

Walkthrough

This walkthrough demonstrates how to build an effective incident response strategy using Security Hub to prioritize findings, Amazon EventBridge to automate responses, and AWS Systems Manager runbooks to remediate issues. We’ll show you how these services work together through a practical example of responding to security findings across your environment.

Prioritize identified security findings using Security Hub

Security Hub provides a consolidated view of security and compliance findings across multiple AWS accounts, integrating data from services such as AWS Config, Amazon GuardDuty, and Amazon Inspector. This centralized approach facilitates efficient prioritization and management of security concerns across your AWS infrastructure.

To effectively manage security findings, establish filters within Security Hub that align with your security requirements, such as aggregating findings from key investigation services such as GuardDuty, Amazon Inspector, AWS Config, and Amazon Detective. You will use Security Hub to prioritize findings based on severity classification, such as critical and high severity items first coupled with resource type filtering to target specific resources such as Amazon Elastic Compute Cloud (Amazon EC2) instances and Amazon Simple Storage Service (Amazon S3) buckets. You can arrange findings by severity and most recent to highlight the most urgent issues in your environment.

Security Hub enhances security operations using automation rules, which process and update findings automatically as they’re ingested. Through these automation capabilities, Security Hub can run various actions on findings, including suppression, severity level adjustments, and note additions. This systematic approach helps you streamline security workflows and maintain consistency in how security issues are handled and help lead to improvements in operational efficiency for security teams.

Build event-driven applications at scale using Amazon EventBridge

Amazon EventBridge is a serverless event bus that you can use to connect applications and services within and across AWS accounts, facilitating the development of event-driven architectures and streamlining process automation. By integrating Amazon EventBridge into your security incident response process, you can effectively centralize event collection, automate remediation actions, and maintain visibility across multiple AWS accounts in a multi-account environment.

Remediate non-compliant resources using AWS Systems Manager Runbooks 

You can use AWS Systems Manager Automation runbooks to remediate non-compliant findings identified by Security Hub. AWS provides a library of predefined automation documents for common remediation tasks such as enabling encryption, configuring security groups, or updating resource configurations. You can use these predefined documents or create your own custom documents based on your use case. You can build, run, and share automation runbooks with others within your organization.

Respond to security incidents

To use an example scenario, let’s say you have identified a critical finding in Security Hub that indicates your S3 buckets across multiple accounts have public access and sensitive data is exposed to the internet. This exposure can lead to unauthorized access of sensitive data stored in your S3 buckets.

The following is an example of how you can approach this incident and follow the best practices for incident response phases:

1. Detect and isolate: Identify the affected S3 buckets and accounts across your organization. Use Security Hub findings, AWS Config managed rules, and AWS CloudTrail logs to gather information about the scope of the incident.

2. Contain and mitigate: Disable public access to the affected S3 buckets as a containment measure. If you have a bucket policy, make sure that it doesn’t allow public access.

3. Automate remediation: You can create a custom Systems Manager Automation document that disables public access using the Amazon S3 Block Public Access feature, updates the bucket policies to deny public access, and applies any other necessary remediation steps. Configure Security Hub to automatically run this Automation document when public access findings are detected.

4. Investigate and analyze: You can review CloudTrail logs and Amazon S3 access logs to conduct a comprehensive investigation to understand the root cause of the incident, identify any potential data exfiltration, and determine the scope of the impact.

5. Notify and communicate: Depending on the nature and severity of the incident, make sure that you establish clear communication channels and follow your organization’s incident response and communication protocols. You can use Amazon SNS to send email notifications when the automation completes or if it encounters any issues. You can set up Amazon CloudWatch alarms to monitor the execution of your automation and alert on failures. You can integrate with AWS Chatbot to send notifications to ChatOps applications such as Microsoft Teams and Slack channels.

6. Implement preventive measures: After remediating the immediate incident, review and strengthen your security controls and processes to prevent similar incidents in the future.

By using this solution, you can mitigate the impact of this security incident, minimize data exposure, and take steps to prevent similar incidents from occurring in the future.

Automated security response on AWS 

AWS provides a solutions library of approved solutions and guidance for business and technical use cases. When it comes to best practices to respond to security risks, you can review the Automated Security Response on AWS (ASR) solution. This is an add-on that works with Security Hub to provide a ready to deploy architecture and a library of automated playbooks to resolve common security findings. These predefined responses and remediation actions are based on industry compliance standards and best practices.

Image 2 provides an overview of the serverless solution that you can build using the solution’s implementation guide. You can visit the Automated Security Response on AWS overview page to learn more about the solution.

Image 2: Automated Security Response serverless solution components

Image 2: Automated Security Response serverless solution components

The solution creates playbooks that you can use to decide what deploy in your Security Hub delegated admin account. Each playbook includes all required components such as custom actions, IAM roles, EventBridge events, and automation workflows to implement remediation across single or multiple AWS accounts.

Let’s walk through an example showing how this solution works.

1. After you have deployed the solution, sign in to the AWS account that’s the delegated admin for Security Hub. Navigate to the AWS Management Console for Security Hub and choose Findings in the navigation pane to visualize the security issues identified across all accounts within your organization. Select a finding to identify which S3 bucket is affected.

Image 3: Security Hub findings default view

Image 3: Security Hub findings default view

2. Now navigate to the Amazon S3 console and go to the identified S3 bucket. Note that the Block all public access is set to Off for this S3 bucket.

Image 4: Amazon S3 block public access settings

Image 4: Amazon S3 block public access settings

3. Next, to remediate, use the following steps:

  • From the AWS Management Console for Security Hub, select the checkbox next to the finding.
  • Choose Actions.
  • Select Remediate with ASR.
  • A message at the top of the page shows whether the remediation was successfully triggered.
Image 5: Remediation with ASR steps

Image 5: Remediation with ASR steps

4. After the remediation is successfully triggered, the email address subscribed to the Amazon Simple Notification Service (Amazon SNS) topic will receive a notification that the remediation action has been queued for security control.

Image 6: Sample notification email when remediations are initiated

Image 6: Sample notification email when remediations are initiated

5. After the remediation is complete, you will receive another email notification that the remediation was succeeded.

Image 7: Sample notification email after remediation is succeeded

Image 7: Sample notification email after remediation is successful

6. Verify that the remediation succeeded by navigating to the S3 bucket in the specific account and confirm that Block all public access is now on.

Image 8: Amazon S3 block public access updated settings

Image 8: Amazon S3 block public access updated settings

AWS Security Incident response

Recently, AWS announced AWS Security Incident Response, a new service designed to help organizations manage security events quickly and effectively. The service is purpose-built to help customers prepare for, respond to, and recover from various security events, including account takeovers, data breaches, and ransomware attacks. Security Incident Response automates the triage and investigation of security findings from Amazon GuardDuty and integrated third-party threat detection tools through AWS Security Hub. It facilitates communication and coordination and provides 24/7 access to security experts from the AWS Customer Incident Response Team (CIRT) who can assist during security events. The service aims to provide customers with more comprehensive support across the phases of incident response lifecycle, from preparation to detection, analysis, and recovery.

You can learn more about AWS Security Incident Response by visiting the product page.

Conclusion

In this blog post, we covered a set of AWS services such as AWS Security Hub, AWS Systems Manager, and Amazon EventBridge that you can use with AWS Organizations to respond to security risks across multiple accounts in your organization. By using these services, you can gain a unified view of your security posture and take action to mitigate risks and incidents much faster across your organization. We recommend that you set up the Automated Security Response on AWS solution that helps you quickly address security issues by providing predefined responses and remediation actions based on industry compliance standards and best practices.

We also recommend that you review the other posts in this series:

1. Identify AWS resources at risk across your multi-account environment with AWS Organizations integrations
2. Protect your AWS resources from unauthorized access using AWS Organizations integrations
3. Centrally detect and investigate security findings with AWS Organizations integrations

To learn more about AWS security services, review the Security Learning plan in AWS Skill Builder, or review the Security Incident Response User Guide, and deploy the Automated Security Response solution to remediate some of the security and compliance findings in your AWS environment!

Alex Torres

Alex Torres is a Senior Solutions Architect working with customers on the Media and Entertainment industry. He has worked with hundreds of customers worldwide building their cloud foundational environments and platforms, architecting new workloads, and creating governance strategy for their cloud environments. In his free time, he enjoys rainy days, playing videogames, walks in the mountain with his dogs, and nice cup of dry cappuccino.

Nivedita Tripathi

Nivedita Tripathi is a Sr. Product Manager, GTM for AWS Organizations. Her focus is on assisting customers with building and scaling their cloud infrastructure across multiple accounts, while utilizing security and governance best practices. Besides her passion for technology, Nivedita enjoys music, traveling the world, and spending time with her family.

Samir Behara

Samir Behara is a Senior Cloud Infrastructure Architect with AWS Professional Services. He is passionate about helping customers accelerate their IT modernization through cloud adoption strategies. Samir has an extensive software engineering background and loves to dive deep into application architectures and development processes to drive performance, operational efficiency, and increase the speed of innovation.