- Incident Response (12%)
- Logging and Monitoring (20%)
- Infrastructure Security (26%)
- Identity and Access Management (20%)
- Data Protection (22%)
Incident Response (12%)
For the exam, you should know how to:
- Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.
- Verify that incident response plan includes relevant AWS services.
- Evaluate the configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues.
|AWS Trusted Advisor|
|AWS Service Catalog|
|VPC Flow Logs|
|Amazon API Gateway|
Be prepared to handle common incidents such as:
- Compromised user credentials
- Insufficient data integrity
- Overly permissive access
- Logs and Monitoring
- Billing activity
- Threat intelligence
- AWS Support
- Public Response
Responding to Incidents
Example: Instance Isolation
- Remove from ELB and Autoscaling Group, this prevents the instance receiving any more web traffic
- Create an Isolated Security Group that denies all traffic in and outbound and attach to instance
- Take an EBS snapshot of the volume
- Use Forensic instance (in a forensics subnet to investigate the compromised instance)
Example: Exposed IAM Access Keys
- Invalidate credentials: Disable exposed credentials, delete when appropriate.
- Revoke privileged access: Attach a “Deny IAM” policy to user, revoke outstanding sessions.
- Determine the source of IAM access keys: Identify the user the access keys belong to, review the scope of policies associated with them.
- Verify integrity and determine blast radius: Use CloudTrail and AWS Config to determine changes; consider if other IAM credentials could have been leaked.
Allows you to check whether your resources comply with your own security policies, industry best practices and compliance standards
AWS Managed Rules:
- Are all attached Amazon EBS volumes encrypted?
- Do all Amazon EC2 instances belong to a VPC?
- Are all resources tagged as expected?
- Do all security groups in use deny unregulated incoming SSH traffic?
- Is AWS CloudTrail enabled in your AWS account?
- Does the password policy for IAM users meet specified requirements?