On January 6, 2020, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released an alert (AA20-006A) that highlighted measures for critical infrastructure to prepare for information security risks, but which are also relevant to all organizations. The CISA alert focuses on vulnerability mitigation and incident preparation.
Related Articles
At AWS, security is our core function and highest priority and, as always, we are engaged with the U.S. Government and other responsible national authorities regarding the current threat landscape. We are taking all appropriate steps to ensure that our customers and infrastructure remain protected, and we encourage our customers to do the same with their systems and workloads, whether in the cloud or on-premises.
The CISA recommendations reflect general guidance, as well as specific mitigations and monitoring that can help address information security risks. In this post, we provide customers with resources they can use to apply the CISA recommendations to their environment and implement other best practices to protect their resources. Specifically, the security principles and mechanisms provided in the Well Architected Framework and posts on AWS best practices that can help you address the issues described in the alert.
The specific techniques described in the CISA alert are almost all related to issues that exist in an on-premises Windows or Linux operating system and network environment, and are not directly related to cloud computing. However, the precautions described may be applicable to the extent customers are using those operating systems in an Amazon Elastic Compute Cloud (Amazon EC2) virtual machine environment. There are also cloud-specific technologies and issues that should be considered and addressed. Customers can use the information provided in the table below to help address the issues.
Technique | Mitigation |
Credential Dumping & Spearphishing | Identify Unintended Resource Access with AWS Identity and Access Management (IAM) Access Analyzer Getting Started: Follow Security Best Practices as You Configure Your AWS Resources How can I configure a CloudWatch events rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger? |
Data Compressed & Obfuscated Files or Information | How can I configure a CloudWatch events rule for GuardDuty to send custom SNS notifications if specific AWS service event types trigger? Monitor, review, and protect Amazon S3 buckets using Access Analyzer for S3 Identify Unintended Resource Access with AWS Identity and Access Management (IAM) Access Analyzer |
User Execution | Identify Unintended Resource Access with AWS Identity and Access Management (IAM) Access Analyzer Monitor, review, and protect Amazon S3 buckets using Access Analyzer for S3 |
Scripting | Nine Aws Security Hub best practices How to import AWS Config rules evaluations as findings in Security Hub |
Remote File Copy | Continuous Compliance with AWS Security Hub Monitor, review, and protect Amazon S3 buckets using Access Analyzer for S3 |
We’re also including links to GitHub repositories that can be helpful to automate some of the above practices, and the AWS Security Incident Response white paper, to assist with planning and response to security events. We strongly recommend that you review your run-books, disaster recovery plans, and backup procedures.
- Enable Security Hub
- Security Hub to email
- AWS Config to Security Hub
- AWS Config Rules
- Enforcing Security Invariants with AWS Organizations (re:Inforce talk)
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this blog post, please contact your AWS Account Manager or contact AWS Support. If you need urgent help or have relevant information about an existing security issue, contact your AWS account representative.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.