Summary of preparation items - AWS Security Incident Response Guide

Summary of preparation items

Thorough preparation for responding to security events is critical for timely and effective incident response. Incident response preparation involves people, processes, and technology. All three of these domains are equally important to preparation. You should prepare and evolve your incident response program across all three domains.

Table 2 summarizes the preparation items detailed in this section.

Table 2 – Incident response preparation items

Domain Preparation item Action items
People Define roles and responsibilities.

  • Identify relevant incident response stakeholders.

  • Develop a responsible, accountable, informed, consulted (RACI) chart for an incident.

People Train incident response staff on AWS.

  • Train incident response stakeholders on AWS foundations.

  • Train incident response stakeholders on AWS security and monitoring services.

  • Train incident response stakeholders on your AWS environment and how it is architected.

People Understand AWS support options.

  • Understand differences in AWS support, Customer Incident Response Team (CIRT), DDoS response team (DRT) and AMS.

  • Understand triage and escalation path to reach the CIRT during an active security event if needed.

Process Develop an incident response plan.

  • Create a high-level document that defines your incident response program and strategy.

  • Include a RACI, communication plan, incident definitions, and phases of incident response to the incident response plan.

Process Document and centralize architecture diagrams.

  • Document details on how your AWS environment is configured across account structure, service usages, IAM patterns, and other core functionality to your AWS configuration.

  • Develop architecture diagrams of your cloud architectures.

Process Develop incident response playbooks.

  • Create a template for structure of your playbooks.

  • Build playbooks for expected security events.

  • Build playbooks for known security alerts, such as GuardDuty findings.

Process Run regular simulations.

  • Develop a regular cadence to run incident simulations.

  • Use the outputs and lessons learned to iterate on your incident response program.

Technology Develop AWS account structure.

  • Plan an account structure for how workloads are separated by AWS accounts.

  • Create a security OU with a security tooling and log archival account.

  • Create a forensics OU with forensics accounts for each Region in which you operate.

Technology Develop and implement a tagging strategy that helps responders to identify ownership and context for findings.

  • Plan a strategy for tagging and what tags you want associated with your AWS resources.

  • Implement and enforce the tagging strategy.

Technology Update AWS account contact information.

  • Verify that AWS accounts have contact information listed.

  • Create email distribution lists for the contact information to remove single points of failure.

  • Protect the email accounts that are associated with the AWS account information.

Technology Prepare access to AWS accounts.

  • Define what access incident responders will require to respond to an incident.

  • Implement, test and monitor the access.

Technology Understand threat landscape.

  • Develop threat models of your environment and applications.

  • Integrate and use cyber threat intelligence.

Technology Select and set up logs.

  • Identify and enable logs for investigations.

  • Select log storage.

  • Identify and implement log retention.

  • Develop mechanism to retrieve and query logs and artifacts.

  • Use logs for alerting.

Technology Develop forensics capabilities.

  • Identify artifacts required for forensics collection.

  • Capture and secure backups of key systems.

  • Define mechanisms for analysis of identified logs and artifacts.

  • Implement automation for forensics analysis.

An iterative approach is recommended for incident response preparation. All of these preparation items cannot be done overnight; you should create a plan to start small and continuously improve your incident response capabilities over time.