AWS prescriptive-guidance medium security documentation change
Summary
Formatting changes (markdown syntax updates), image path update, and expanded KMS key policy guidance with IaC recommendations. Added warning about permission issues impacting MTTR during security events.
Security assessment
The change adds specific guidance about KMS key policies requiring forensic principals to decrypt/re-encrypt data, emphasizing least privilege access through IaC. This directly addresses security controls for encryption key management during investigations. The explicit warning about permission issues increasing MTTR shows security impact consideration.
Diff
diff --git a/prescriptive-guidance/latest/security-reference-architecture-cyber-forensics/forensics-account.md b/prescriptive-guidance/latest/security-reference-architecture-cyber-forensics/forensics-account.md index ceb0f1d4a..ca2f1403c 100644 --- a//prescriptive-guidance/latest/security-reference-architecture-cyber-forensics/forensics-account.md +++ b//prescriptive-guidance/latest/security-reference-architecture-cyber-forensics/forensics-account.md @@ -14,3 +14 @@ Influence the future of the AWS Security Reference Architecture (AWS SRA) by tak -###### Disclaimer - -The following description of an AWS Forensics account should only be used by organizations as a starting point for organizations to develop their own forensic capabilities in conjunction with guidance from their legal advisors. +**Disclaimer** : The following description of an AWS Forensics account should only be used by organizations as a starting point for organizations to develop their own forensic capabilities in conjunction with guidance from their legal advisors. @@ -22 +20 @@ The following diagram illustrates the AWS security services that can be configur - + @@ -45 +43 @@ This guidance uses the [Log Archive account](https://docs.aws.amazon.com/prescri -###### Design considerations +**Design considerations:** @@ -47 +45 @@ This guidance uses the [Log Archive account](https://docs.aws.amazon.com/prescri - * Automation is helpful when you have many concurrent incidents, because it helps speed up and scale the collection of vital evidence. However, you should consider these benefits carefully. For example, in case of a false positive incident, a fully automated forensic response might negatively impact a business process that's supported by an AWS workload in scope. For more information, see the design considerations for Amazon GuardDuty, AWS Security Hub CSPM and AWS Step Functions in the following sections. + * Automation is helpful when you have many concurrent incidents, because it helps speed up and scale the collection of vital evidence. However, you should consider these benefits carefully. For example, in case of a false positive incident, a fully automated forensic response might negatively impact a business process that's supported by an AWS workload in scope. For more information, see the design considerations for Amazon GuardDuty, AWS Security Hub CSPM, and AWS Step Functions in the following sections. @@ -70 +68 @@ You can fully automate the integration of the containment and forensic data coll -###### Design considerations +**Design considerations:** @@ -87,5 +85 @@ Security Hub CSPM custom actions provide a standardized mechanism for authorized -###### Design considerations - - * Security Hub CSPM can be integrated with many services, including AWS Partner solutions. If your organization uses detective security controls that aren't fully fine-tuned and sometimes result in false positive alerts, fully automating the forensic collection process would result in running that process unnecessarily. - - +**Design consideration:** @@ -92,0 +87 @@ Security Hub CSPM custom actions provide a standardized mechanism for authorized +Security Hub CSPM can be integrated with many services, including AWS Partner solutions. If your organization uses detective security controls that aren't fully fine-tuned and sometimes result in false positive alerts, fully automating the forensic collection process would result in running that process unnecessarily. @@ -106 +101 @@ Step Functions is ideal for use with a forensic process because it supports a re -###### Design considerations +**Design considerations:** @@ -121,3 +116 @@ With [AWS Lambda](https://aws.amazon.com/lambda/) you can run code without provi -In the context of a forensic investigation, using Lambda functions helps you achieve constant results through repeatable, automated, and predefined steps that are defined in the Lambda code. When a Lambda function runs, it creates a log that helps you verify that the proper process was implemented. - -###### Design considerations +In the context of a forensic investigation, using Lambda functions helps you achieve constant results through repeatable, automated, and predefined steps that are defined in the Lambda code. When a Lambda function runs, it creates a log that helps you verify that the proper process was implemented. **Design considerations:** @@ -138 +131,5 @@ As part of the forensics process, data collection and investigation should be do -###### Design consideration +**Design consideration:** + + * An organization's AWS KMS key policies should allow authorized IAM principals for forensics to use the key to decrypt data in the source account and re-encrypt it in the Forensics account. Use infrastructure as code (IaC) to centrally manage all your organization's keys in AWS KMS to help ensure that only authorized IAM principals have the appropriate and least privilege access. These permissions should exist on all KMS keys that can be used to encrypt resources on AWS that could be collected during a forensics investigation. If you update the KMS key policy after a security event, the subsequent resource policy update for a KMS key that's in use might impact your business. Additionally, permission issues can increase the overall mean time to respond (MTTR) for a security event. + + @@ -140 +136,0 @@ As part of the forensics process, data collection and investigation should be do -An organization's AWS KMS key policies should allow authorized IAM principals for forensics to use the key to decrypt data in the source account and re-encrypt it in the Forensics account. Use infrastructure as code (IaC) to centrally manage all your organization's keys in AWS KMS to help ensure that only authorized IAM principals have the appropriate and least privilege access. These permissions should exist on all KMS keys that can be used to encrypt resources on AWS that could be collected during a forensics investigation. If you update the KMS key policy after a security event, the subsequent resource policy update for a KMS key that's in use might impact your business. Additionally, permission issues can increase the overall mean time to respond (MTTR) for a security event.