Automating Incident Prevention and Response in AWS

AJ Yawn, Principal, SOC Practice, Coalfire

Information security incidents can result in reputational damage, financial losses, or a loss of system functionality for organizations at any time. Because threats and attack vectors are growing rapidly, organizations must prepare to respond to incidents in real time. The incident response (IR) process must be able to detect common attack vectors and common misconfigurations that could potentially lead to an incident. Effective IR is vital to the security of any organization and is also a critical process that is evaluated when undergoing the following compliance assessments: FedRAMP, SOC & SSAE 18, ISO, HITRUST, PCI-DSS, among others.

Organizations that are hosted on Amazon Web Services (AWS) have an opportunity to leverage some key security and management features to automate components of their IR process. One key benefit of implementing automation is the reduction in the time between incident detection and the company’s response. Automating security detection and analysis prevents incidents from occurring by continuously evaluating system configurations for security misconfigurations. Through the combination of the AWS CloudTrail, Amazon CloudWatch, AWS Config, and AWS Lambda services, organizations can continuously monitor their AWS infrastructure for basic security configurations and correct potential issues (i.e., public read/write access allowed to a sensitive Simple Storage Service [S3] bucket) before it results in a security incident.

The National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide, describes four key phases of the IR handling process:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

AWS Services can be integrated into the four phases to automate the IR process for common security events. While the first and last phases are out of the scope of this blog, it is imperative that these phases are considered and implemented when developing IR plans.

The second phase, Detection and Analysis, can be accomplished through the combination of AWS CloudTrail, Amazon CloudWatch, and AWS Config. With AWS CloudTrail, organizations can log, continuously monitor, and retain account activity related to actions across their AWS infrastructure. AWS CloudTrail facilitates simplified compliance by recording and storing event logs for all actions made within an AWS account. AWS CloudTrail integrates seamlessly with Amazon CloudWatch. Organizations can set specific AWS CloudTrail actions to trigger Amazon CloudWatch events and alarms. This will detect actions and activity in the AWS environment that could be indicative of an incident and notify security administrators when specified thresholds are exceeded. Implementing AWS Config rules to monitor the AWS infrastructure is an additional layer of logging and analysis for security incidents. AWS Config continuously monitors and records AWS resource configurations, allowing organizations to assess, audit, and evaluate these resources in real time. AWS Config provides pre-built rules for evaluating the security of your resources; organizations can also customize rulesets to evaluate their AWS resources according to internal best practices. AWS Config integrates with CloudTrail and CloudWatch as well. CloudWatch events can be triggered when resources are considered non-compliant with the rules configured by the organization. With the use of AWS CloudTrail, Amazon CloudWatch, and AWS Config, organizations can detect and analyze potential incidents in real time. AWS provides these tools, and we’ll be talking about how these products can be set up to prevent a commonly publicized data leak: public read/write from S3 buckets.

The next phase in the IR process as described by NIST is Containment, Eradication, and Recovery. Implementing the above services during the Detection and Analysis phase can trigger actions to be invoked via AWS Lambda functions. These AWS Lambda functions can respond to Amazon CloudWatch alarms in a specific manner to eradicate and recover from incidents. AWS Lambda can be triggered to conduct software patching, application patching, kernel version updates, security permissions, role changes, and configuration changes identified with the detection and analysis tools described above. AWS Lambda allows organizations to conduct eradication and recovery simultaneously. The incident will be removed from the environment, and the impacted resources will be returned to the intended state prior to the incident occurring. The use case below explains how utilizing these services can prevent a significant, and unfortunately common, security incident from occurring.

Common Use Case

Potential security incident: Exposure of sensitive customer data.

Example attack vector: Public read/write access enabled on S3 buckets housing sensitive customer data.

Elimination of attack vector through automation: AWS Config is configured in your AWS environment to monitor all S3 buckets for compliance with the following AWS Config rules: s3-bucket-public-read-prohibited and s3-bucket-public-write-prohibited. You have configured an AWS CloudWatch metric to monitor AWS Config for a non-compliance status on these S3 buckets. You also configured an AWS Lambda function to revert any public read/write access of S3 buckets to private or non-public access when this CloudWatch event is triggered. Lastly, your AWS Lambda function has been configured via Amazon Simple Notification Service (SNS) to send an email summary to your security team of the non-compliant rule and the actions taken by your AWS Lambda function.

There is an AWS Security Blog post that provides step-by-step instructions and a CloudFormation template to configure resources for this specific use case at this link:

Real-world examples of exposure of sensitive customer data occurring:

FedEx S3 Bucket Exposes Private Details on Thousands Worldwide

Pentagon exposed some of its data on Amazon server

Amazon S3 Bucket Exposed GoDaddy Server Information


Implementing solutions to detect, analyze, eradicate, and recover from potential policy violations, data breaches, active intrusions, or other incidents is vital to any IR program. Implementing automation through the use of AWS services will enhance an organization’s IR process by reducing response time to incidents. Coalfire has a team of experienced cybersecurity advisors that can further discuss the benefits of utilizing these AWS services and successfully incorporating them into any organization’s already-established IR process.

AJ Yawn


AJ Yawn — Principal, SOC Practice, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS