Data protection in Accelerate - AMS Accelerate User Guide

Data protection in Accelerate

AMS Accelerate leverages native AWS services such as Amazon GuardDuty, Amazon Macie (optionally), and other internal proprietary tools and processes, to continuously monitor your managed accounts. After an alarm triggers, AMS Accelerate assumes responsibility for the initial triage and response to the alarm. AMS response processes are based on NIST standards. AMS Accelerate regularly tests response processes using Security Incident Response Simulation with you to align your workflow with existing customer security response programs.

When AMS Accelerate detects a violation, or imminent threat of a violation, of AWS or your security policies, Accelerate gathers information, including impacted resources and any configuration-related changes. AMS Accelerate provides 24/7/365 follow-the-sun support with dedicated operators that actively review and investigate monitoring dashboards, incident queues, and service requests across all of your managed accounts. Accelerate investigates the findings with internal security experts to analyze the activity and notify you through the security escalation contacts listed in your account.

Based on the findings, Accelerate proactively engages with you. If you find that the activity is unauthorized or suspicious, AMS works with you to investigate and remediate or contain the issue. There are certain finding types generated by GuardDuty that require you to confirm the impact before Accelerate takes any action. For example, the GuardDuty finding type UnauthorizedAccess:IAMUser/ConsoleLogin, indicates that one of your users has logged in from an unusual location; AMS notifies you and asks that you review the finding to confirm if this behavior is legitimate.

Monitor with Amazon Macie

AMS Accelerate supports, and it's a best practice to use, Amazon Macie to detect a large and comprehensive list of sensitive data, such as personal health information (PHI), personally identifiable information (PII), and financial data.

You can configure Macie to run periodically on any Amazon S3 bucket. This automates the evaluation of new or modified objects within a bucket over time. As security findings are generated, AMS notifies you and works with you to remediate findings as needed.

For more information, see Analyzing Amazon Macie findings.

Monitor with GuardDuty

GuardDuty is a continuous security monitoring service that uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This might include issues such as escalations of privileges, use of exposed credentials, or communication with malicious IP addresses, or domains. GuardDuty monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, instances deployed in a, AWS Region you've never used. GuardDuty also detects unusual API calls, such as a password policy change to reduce password strength. For more information, see the GuardDuty User Guide.

To view and analyze your GuardDuty findings, complete the following steps:

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. Choose Findings, and then select a specific finding to view details. The details for each finding differ depending on the finding type, resources involved, and nature of the activity.

For more information on available finding fields, see GuardDuty finding details.

Use GuardDuty suppression rules to filter findings

A suppression rule is a set of criteria that consists of a filter attribute paired with a value. You can use suppression rules to filter low-value findings that you don't intend to act on, such as false positive findings, or known activities. Filtering your findings helps make it easier to recognize the security threats that might have the most impact to your environment.

To filter findings, suppression rules automatically archive new findings that match your specified criteria. Archived findings aren't sent to AWS Security Hub, Amazon S3, or CloudTrail Events. So, suppression filters reduce unactionable data if you consume GuardDuty findings through Security Hub or a third-party SIEM alerting and ticketing application.

AMS has a defined set of criteria to identify suppression rules for your managed accounts. When a managed account meets this criteria, AMS applies the filters and creates a service request (SR) to you that details the deployed suppression filter.

You can communicate with AMS through an SR to modify or revert the suppression filters.

View archived findings

GuardDuty continues to generate findings even when those findings match your suppression rules. Suppressed findings are marked as archived. GuardDuty stores archived finding for 90-days. You can view archived findings in the GuardDuty console for those 90 days by selecting Archived from the findings table. Or, view archived findings through the GuardDuty API using the ListFindings API with a findingCriteria of service.archived equal to true.

Common use cases for suppression rules

The following finding types have common use cases for applying suppression rules.

  • Recon:EC2/Portscan: Use a suppression rule to automatically archive findings when using an authorized vulnerability scanner.

  • UnauthorizedAccess:EC2/SSHBruteForce: Use a suppression rule to automatically archive findings when it is targeted to bastion instances.

  • Recon:EC2/PortProbeUnprotectedPort: Use a suppression rule to automatically archive findings when it is targeted to intentionally exposed instances.

Monitor with Amazon Route 53 Resolver DNS Firewall

Amazon Route 53 Resolver responds recursively to DNS queries from AWS resources for public records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones, and is available by default in all VPCs. With Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. For more information, see Using DNS Firewall to filter outbound DNS traffic.

To view and manage your Route 53 Resolver DNS Firewall configuration, use the following procedure:

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Under DNS Firewall, choose Rule groups.

  3. Review, edit, or delete your existing configuration, or create a new rule group. For more information, see How Route 53 Resolver DNS Firewall works.

Amazon Route 53 Resolver DNS Firewall monitoring and security

Amazon Route 53 DNS Firewall uses the concepts of rule associations, rule action, and rule evaluation priority. A domain list is a reusable set of domain specifications that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domain lists that are used in the rules. If DNS Firewall finds a match, then it handles the DNS query according to the matching rule's action. For more information about rule groups and rules, see DNS Firewall rule groups and rules.

Domain lists fall into two main categories:

  • Managed domain lists, that AWS creates and maintains for you.

  • Your own domain lists, that you create and maintain.

Rule groups are evaluated based on their association priority index.

By default, AMS deploys a baseline configuration that consists of the following rule and rule group:

  • One rule group named DefaultSecurityMonitoringRule. The rule group has the highest association priority that's available at the time of creation for each existing VPC in each enabled AWS Region.

  • One rule named DefaultSecurityMonitoringRule with priority 1 within the DefaultSecurityMonitoringRule rule group, using the AWSManagedDomainsAggregateThreatList Managed Domain list with action ALERT.

If you have an existing configuration, then the baseline configuration is deployed with lower priority than your existing configuration. So, your pre-configured behavior is the default configuration. You can use the AMS baseline configuration as a catch-all if your configuration doesn't provide a higher priority instruction on how to handle query resolution. To alter or remove the default configuration, contact your Cloud Service Delivery Manager (CSDM), Cloud Architect (CA), create a Request For Change (RFC) Management | Other | Other | Create CT (ct-1e1xtak34nx76) template, create a Service Request. If your account is operated in Developer mode or Direct Change mode, then you can perform the changes yourself.

Data encryption in AMS Accelerate

AMS Accelerate uses several AWS services for data encryption.

Amazon Simple Storage Service offers several object encryption options that protect data in transit and at rest. Server-side encryption encrypts your object before saving it on disks in its data centers and then decrypts it when you download the objects. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For more information, see Data protection in Amazon S3.