AWS whitepapers documentation change
Summary
Removed entire content including security control engineering concepts, examples using GuardDuty, and incident response workflow documentation
Security assessment
This change deletes documentation content but shows no evidence of addressing a specific security vulnerability. The removed content described security best practices and AWS services without indicating any security flaw resolution.
Diff
diff --git a/whitepapers/latest/aws-security-incident-response-guide/detection-as-security-control-engineering.md b/whitepapers/latest/aws-security-incident-response-guide/detection-as-security-control-engineering.md index ce229e1db..8b1378917 100644 --- a//whitepapers/latest/aws-security-incident-response-guide/detection-as-security-control-engineering.md +++ b//whitepapers/latest/aws-security-incident-response-guide/detection-as-security-control-engineering.md @@ -1 +0,0 @@ -[View a markdown version of this page](detection-as-security-control-engineering.md) @@ -3,31 +1,0 @@ -[](/pdfs/security-ir/latest/userguide/sir-ug.pdf#detection-as-security-control-engineering "Open PDF") - -[Documentation](/index.html)[Security Incident Response](/security-ir/index.html)[](what-is.html) - -# Detection as part of security control engineering - -Detection mechanisms are an integral part of security control development. As _directive_ and _preventative_ controls are defined, related _detective_ and _responsive_ controls should be constructed. As an example, an organization establishes a directive control related to the root user of an AWS account, which should only be used for specific and very well-defined activities. They associate it with a preventative control implemented by using an AWS organization’s service control policy (SCP). If root user activity beyond the expected baseline happens, a detective control implemented with an EventBridge rule and SNS topic will alert the security operations center (SOC). The responsive control entails the SOC selecting the appropriate playbook, performing analysis, and working until the incident is resolved. - -Security controls are best defined by threat modeling of workloads running in AWS. The criticality of detective controls will be set by looking at the business impact analysis (BIA) for the particular workload. Alerts generated by detective controls are not handled as they come in, but rather based on its initial criticality, to be adjusted during analysis. The initial criticality set is an aid for prioritization; the context in which the alert happened will determine its true criticality. As an example, an organization uses Amazon GuardDuty as a component of the detective control used for EC2 instances that are part of a workload. The finding `Impact:EC2/SuspiciousDomainRequest.Reputation` is generated, informing you that the listed Amazon EC2 instance within your workload is querying a domain name that is suspected of being malicious. This alert is set by default as low severity, and as the analysis phase progresses, it was determined that several hundred EC2 instances of type `p4d.24xlarge` have been deployed by an unauthorized actor, significantly increasing the organization’s operating cost. At this point, the incident response team makes the decision to adjust the criticality of this alert to _high_ , increasing the sense of urgency and expediting further actions. Note that the GuardDuty finding severity cannot be changed. - - **Javascript is disabled or is unavailable in your browser.** - -To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. - -[Document Conventions](/general/latest/gr/docconventions.html) - -Alert sources - -Detective control implementations - -Did this page help you? - Yes - -Thanks for letting us know we're doing a good job! - -If you've got a moment, please tell us what we did right so we can do more of it. - -Did this page help you? - No - -Thanks for letting us know this page needs work. We're sorry we let you down. - -If you've got a moment, please tell us how we can make the documentation better.