AWS Certified Serucity Spacaility - SCS-C02 Study notes - Part 2

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Incident Response

🌎Read AWS WAF

  • Preparation
    • Be ready to detect and respond to incidents
    • Playbooks and runbooks.
    • Automated responses.
    • Focus on a rapid response to incidents.
  • Operations
    • When an incident has occured.
    • Follow NIST phases
      • Detect > Analyze > Contain > Eradicate > Recover
  • Post-incident
    • Understand what happened.
    • Lessons learned.

Containment

AWS Recommends a containment policy

  • Stops / Prevents damage
  • Preserves evidence
  • Response will take time to implement
  • Unsure of the effectiveness of the response
  • Unsure how long the response will be effective


Source containment

  • Block traffic from IP address or addresses
  • Can be done using a security group, NACL, or bucket policy
  • Block a specific source port.


Destination containment

  • Removes or isolates the destination
  • Can shut down an instance
  • Detach the instance from an ASG or network.
  • NCAL Deny rules - Contain at the network level


Technique and access containment

  • Limit actions of IAM principals on resources
    • This can involve removing keys
    • Remove previously generated access privileges

Common Approach to an Infrastructure security incident

  • Capture - Get metadata/logs before making changes.
  • Protect - Prevent the EC2 instance from being terminated while under investigation.
  • Isolate - Modify the security group or update the NACL
  • Detatch - Remove from autoscaling groups
  • Deregister - Remove from any ELB
  • Snapshot - Take a snapshot of EBS volumes
  • Tag - Use tags to mark the instance for investigation.

Logging

Logging allows a baseline to be established.

  • What is normal
  • What is abnormal
  • Allows to get the state of the environment before, during, and after the attack.
  • logs should be readily available to the audit and security teams when needed.


Some examples of logging in AWS are:

  • Cloudwatch logs
  • Cloudtrail logs
  • Cloudfront logs
  • Application load balancer logs


Good idea to keep thes logs immutable, cannot be deleted by admins - what if the admin account is hijacketed the actor will try and cover their tracks. Additionally the logging should not be able to be disabled.

Alerting

  • Eventbridge Can trigger actions on other services. [1]
  • maybe destory a VM and bring a new one up from a goldern imaage.


  • SNS - Simple notfication service
  • Can send out messages when a defined event occurs.

Amazon Detective

  • This is a security service
  • Uses machine learning for statistical analysis
  • Collects logs from several services
    • VPC Flow logs
    • Cloud Watch
    • Amazon Guard Dury

Amazon Guard Duty

  • Region managed service
  • Powered by machine learning
  • Monitors logs from other services
    • VPC Flow logs
    • Cloud Trail Event logs
    • Guard duty looks at the logs to uncover unusual activity.


This creates a unified view of resources over time.

Amazon Macie

  • Machine learning service
  • Used to classify sensitive data that may contain PII
  • Enables you to fix and tighten security policies.

AWS Security Hub

  • Integrates the security tools
  • Works with AWS and partner tools


  • Think of it as a window into the security infrastructure.
  • Displays all the security statical data in one place.
  • This is an always-on service.
  • Can work across multiple accounts
    • With multiple accounts, this is a primary/subordinate relationship.


  • Find weaknesses early
  • Find compliance early
    • Avoid vulnerabilities

If you suspect unauthorized activity

  • Have any new resources been created?
  • Any access or changes to the account?
  • Check IAM service for unauthorized changes.
  • Run a credential report on the account - when was the last time a password/key was used
  • Run trusted advisor reports - look for new violations.
  • Go to Cost Explorer, where any services spun up or down.


What to do if you find abuse

Access keys

  • Rotate and delete any access keys
  • Create new access kets and secret keys in IAM
  • This approach uses IAM to lock the user out (Change the keys to the house!)


  • Issue new keys to 'authored applications'
  • Deactivate the original key
  • Do not delete the original key
  • Verify apps are functional
  • Remove the original key
  • delete any root account access keys you did not use or create

Credentials

  • Delete any uses that you did not create.


  • Select each user
  • Add the permission AWS ExposedCrdentialPolicy_DO_NOT_REMOVE
  • If this policy is already attached, rotate the access keys.
  • Repeat for all valid users


  • Change all passwords for all users

Verify your AWS account information

  • Account name and email.
  • Contact information.
  • Alternate Contacts.


EC2 Resource Isolation

  • If an EC2 is compromised, isolate it immediately.
  • Prevent further communication to/from it.
  • This minimizes the risk of data removal.


  • Create a copy of the instance using an AMI (Amazon Machine Image)
  • Terminate the instance to stop further use of it


  • The quickest way to isolate an instance is to update its security group.
  • Any roles associated with the instance should be removed

To perform a forensic investigation

  • Crete an AMI from the EC2 instance
  • Share the image with the forensic account.
  • This involves modifying the AMI permissions
  • On the forensic account, locate the AMI from within EC2
  • Create a new instance using the AMI


  • Create an EBS snapshot if you want to copy data.

Systems Manager Incident Manager

[2]

This is a single AWS tool to track and respond to incidents.

  • Prepare for incidents before they happen.
  • Response plans
  • System Manager Automation runbacks.


Use the template runbooks provided.

If you want the incident manager to respond to an incident, you must create an IAM role for it.

  • If you do not do this, you must do it when creating a response plan.
  • It is always best to do things in advance and prepare for the worst.

Forensics

Use a separate AWS account for forensics.

  • Make sure the account is highly secure.
  • Include tools for forensics
  • have no connection to the internet. Stop data exfiltration.
  • Have no real customer data

AWS Control Tower can quickly provision an account with the account vending machine.

Once the account has been provisioned, CoudFomation can create S3 buckets and other resources.

  • Build the account automatically and eliminate human errors.

Accounts can be taken back down when not in use to save money.

When investigating:

  • Make sure steps are auditable.
  • Have a centralized logging setup
Retrieved from "https://cramsession.net/index.php?title=AWS_Certified_Serucity_Spacaility_-_SCS-C02_Study_notes_-_Part_2&oldid=1377"