AWS prescriptive-guidance documentation change
Summary
Added detailed content about automating security operations using AWS Security Hub, EventBridge, Step Functions, Lambda, Systems Manager, and SQS. Included a security incident response workflow example and reference to a security blog.
Security assessment
The change documents security automation features and incident response workflows but doesn't address a specific vulnerability or incident. It enhances security documentation by describing automated remediation processes.
Diff
diff --git a/prescriptive-guidance/latest/strategy-accelerating-security-maturity/run.md b/prescriptive-guidance/latest/strategy-accelerating-security-maturity/run.md index d158f4edc..4ab99d8ae 100644 --- a//prescriptive-guidance/latest/strategy-accelerating-security-maturity/run.md +++ b//prescriptive-guidance/latest/strategy-accelerating-security-maturity/run.md @@ -6,0 +7,2 @@ +Optimize + @@ -9 +11 @@ - + @@ -15 +17,12 @@ The following is the only phase in the run stage: - * [Optimize](./optimize.html) – How do I improve this process and add automation? + * **Optimize** – How do I improve this process and add automation? + + + + +## Optimize + +In the optimize phase, you automate your security operations. Like the crawl and walk stages, you can use AWS Security Hub CSPM during the run stage to achieve automation and iteration. The following image shows how Security Hub CSPM can trigger a custom [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html) rule that defines automatic actions to take against specific findings and insights. For more information, see [Automations](https://docs.aws.amazon.com/securityhub/latest/userguide/automations.html) in the Security Hub CSPM documentation. + + + +By using Security Hub CSPM as a central automation hub, you can also forward activities to [Splunk](https://www.splunk.com). Splunk can then detect the ones that are anomalous and trigger corresponding actions in EventBridge. This helps you automate repetitive tasks and provides more time for skilled team members to focus on higher-value activities. You can also use [AWS Step Functions](https://docs.aws.amazon.com/step-functions/latest/dg/welcome.html) to collect logs, take forensic snapshots, quarantine compromised servers, and replace them with a golden image. Additionally, you can use an [AWS Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) function that uses [AWS Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html) to remediate vulnerabilities across the environment and uses an [Amazon Simple Queue Service (Amazon SQS)](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/welcome.html) function to validate the security of the systems. By taking this approach, it's possible to quickly contain and remediate security incidents with minimal impact to normal business operations. @@ -16,0 +30 @@ The following is the only phase in the run stage: +The following is an example of repeated automated actions, as shown in the previous image: @@ -17,0 +32 @@ The following is the only phase in the run stage: + 1. Use Splunk to detect questionable activity. @@ -18,0 +34,12 @@ The following is the only phase in the run stage: + 2. Use Step Functions to collect logs, revoke access, quarantine, and take forensic snapshots. + + 3. Use an EventBridge rule to start a Lambda function that quarantines, takes forensic snapshots, and replaces compromised servers with a golden image. + + 4. Start a Lambda function that uses Systems Manager to remediate and apply patches throughout the rest of the environment. + + 5. Start an Amazon SQS message that uses the [Rapid7](https://www.rapid7.com/) scanner to scan and validate whether the AWS resource is secure. + + + + +For more information, see [How to automate incident response in the AWS Cloud for EC2 instances](https://aws.amazon.com/blogs/security/how-to-automate-incident-response-in-aws-cloud-for-ec2-instances/) in the AWS Security Blog. @@ -28 +55 @@ Examples -Optimize +Conclusion