2
Detection
1. Enable foundational services: AWS CloudTrail,
Amazon GuardDuty, and AWS Security Hub.
For all your AWS accounts configure CloudTrail to log API activity,
use GuardDuty for continuous monitoring, and use AWS Security
Hub for a comprehensive view of your security posture.
2. Configure service and application level logging.
In addition to your application logs, enable logging at the service
level, such as Amazon VPC Flow Logs and Amazon S3, CloudTrail,
and Elastic Load Balancer access logging, to gain visibility into
events. Configure logs to flow to a central account, and protect
them from manipulation or deletion.
3. Configure monitoring and alerts, and
investigate events.
Enable AWS Config to track the history of resources, and Config
Managed Rules to automatically alert or remediate on undesired
changes. For all your sources of logs and events, from AWS
CloudTrail, to Amazon GuardDuty and your application logs,
configure alerts for high priority events and investigate.
Infrastructure Protection
1. Patch your operating system, applications,
and code.
Use AWS Systems Manager Patch Manager to automate
the patching process of all systems and code for which you
are responsible, including your OS, applications, and code
dependencies.
2. Implement distributed denial-of-service (DDoS)
protection for your internet facing resources.
Use Amazon Cloudfront, AWS WAF and AWS Shield to provide
layer 7 and layer 3/layer 4 DDoS protection.
3. Control access using VPC Security Groups
and subnet layers.
Use security groups for controlling inbound and outbound traffic,
and automatically apply rules for both security groups and WAFs
using AWS Firewall Manager. Group different resources into
different subnets to create routing layers, for example database
resources do not need a route to the internet.
2
