AWS Incident Response & Logging and Monitoring

This initial blog post covers AWS Incident Response and AWS Logging & Monitoring solutions and best practices.

It includes some of the most common gotchas, issues and best practices that AWS provides to the public with regards to their AWS platform security.

The content of this and subsequent blog posts are drawn from various sources of study material for the AWS Certified Security Speciality exam/qualification.

We can assist your oganisation with reviewing, consultation services and support to help you achieve the most robust and secure AWS Platfom possible.

OIC Solutions can be contacted via our Contact Us page or directly on +44 (0)207 993 2239 or

Peppered in these blog posts are photos from the Astronomy Photographer of the year awards at the Greenwich Maritime Museum. Why? Cos they are cool and interesting.

ISS Space Station tracking infront of the Sun.

Ok, lets get on with the show.

Incident Response

  • The two most frequent incidents in AWS are Exposed Keys and Compromised EC2 instances.
  • Dealing with a compromised EC2 instance
    1. Lock the instance down through security groups, so that it remains isolated and cannot communicate with the outside world. Remove all outbound rules. The only host that should be able to communicate with the instance should be the forensic server.
    2. Take an EBS Snapshot.
    3. Do a memory dump.
    4. Perform Forensic analysis.
    5. When the root cause has been established, terminate the EC2 instance.
  • It is a best practice is to enable the AWS GuardDuty. This should report any EC2 compromised issues
  • Exposed Keys
    1. Determine the access levels associated with those exposed keys.
    2. Invalidate the exposed keys by making them inactive.
    3. Add an explicit deny policy with the IAM principle whose keys have been exposed.
    4. Review the logs to see possible backdoors and whether keys are still being used.
  • If the Root user keys are compromised, you must go to the “My Security Credentials,” page which appears under the Root account name.
  • Disable keys instead of deleting them. This is a Key point.
  • The right way to deal with exposed access/secret keys is to add an explicit deny policy to the IAM principal. If this is not done, temporary credentials will still work.
  • It is more secure to add an explicit Deny policy rather than deactivating or deleting long-term keys.
  • Penetration Testing
    1. Clients do not have to seek authorisation to conduct a penetration test against the following 8 services.
      • EC2 instances, NAT Gateways, and Elastic Load Balancers
      • RDS
      • CloudFront
      • Aurora
      • API Gateways
      • AWS Lambda and Lambda Edge functions
      • Amazon Lightsail resources
      • Amazon Elastic Beanstalk environments
    2. Further information about what is and isn’t required without prior authorisation by AWS is available here.

Logging & Monitoring

  • Continuous Security Monitoring is a critical part of Incident Response.
  • AWS Inspector
    • Automated security assessment service. 
    • Provides templates to validate various security misconfigurations and vulnerabilities.
    • Agent must be installed in the EC2 instance.
    • Have to provide the key-value pair (tag) associated with the target EC2 instances.
    • The following EC2 templates are offered for the AWS Inspector.
      • Common vulnerabilities and exposure CVE.
        • Important but not always ideal.
        • Does not allow high vulns scores for information leakage issues.
      • Center for Internet Security (CIS) Benchmarks.
    • Security Best Practices.
      • Including
        • Disable Root Logging.
        • Support SSH V2.
    • Runtime Behaviour Analysis
      • Including
        • Unused Listening TCP Ports.
        • Insecure protocols in use.
    • Patch Compliance service allows you to check the compliance status of an EC2 instance with respect to patching activity (missing updates).
    • Download and install the AWS Inspector agent on the Linux Server.
    • Specify the Package/template for the scan to be based on. Decide how long to scan for. Recommended to run a scan for 1 hour.
  • System Manager
    • Centralised way to manage operational and automation task across your AWS environment.
    • Configure and assign an IAM role with systems manager policy to the EC2 instance and then install the SSM Agent.
    • Can send output to an S3 bucket or a SNS notification.
  • AWS Config
    • Continuous audit and assessment of Workloads.
    • Two important features
      • Evaluate the changes made to a resource pool over time.
      • Compliance checks.
    • Must enable both checkboxes associated with the following options.
      • Record all resources supported within the region.
      • Include global resources.
    • Monitor resources supported in the region where AWS Config is enabled or/and Global resources e.g. IAM.
    • Create an S3 bucket where AWS Config stores its configuration and snapshot files.
    • Needs an IAM role that allows AWS Config service to Put files in the S3 bucket.
    • 52 AWS managed config rules are available.
    • Good use case is during investigations.
  • CloudWatch
    • Can monitor, store and access log files from sources such as EC2, CloudTrail and Lambda.
    • Gives a centralised log monitoring solution.
    • Three steps to push EC2 logs to CloudWatch.
      • An IAM role with the right permissions.
        • IAM Role associated with the EC2 instance should have permission to push logs to the CloudWatch.
      • Installation of the CloudWatch agent.
      • Modifying the agent configuration file.
      • Post configuration, you need to restart the Agent.

That is going to be enough in this blog post to stop total information overload. You can find the second blog post on this subject here.

Saturn. It’s all about the Hexagonal storm at it’s north pole.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close