This document is provided for informational purposes only. It represents the current product offerings and practices from Amazon Web Services (AWS) as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided “as is” without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.
© 2024 Amazon Web Services, Inc. or its affiliates. All Rights Reserved. This work is licensed under a Creative Commons Attribution 4.0 International License.
This AWS Content is provided subject to the terms of the AWS Customer Agreement available at http://aws.amazon.com/agreement or other written agreement between the Customer and either Amazon Web Services, Inc. or Amazon Web Services EMEA SARL or both.
“If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds.” attributed to former US Secretary of State Dean Rusk
Alerts are determined by the threat modeling of a workload during the development of security controls. Alert usage is defined by Responsive controls, however, its definition relies on the whole security perspective: Directive, Preventative, Detective, and Responsive.
- Workload: what you are trying to protect
- Threat: what you fear happening
- Impact: how business is affected when threat meets workload
- Vulnerability: what can facilitate the threat
- Mitigation: what controls are in place to compensate for vulnerability
- Probability: how likely is for the threat to happen with mitigations in place
Prioritization of threats is a factor of impact and probability.
- Directive controls establish the governance, risk, and compliance models the environment will operate within.
- Preventive controls protect your workloads and mitigate threats and vulnerabilities.
- Detective controls provide full visibility and transparency over the operation of your deployments in AWS.
- Responsive controls drive remediation of potential deviations from your security baselines.
To minimize alert fatigue and better handling of security events, the threat modeling context should take into account:
- Workload relevance (*) to the business.
- Data classification (*) of each workload component.
- Methodology consistently used such as STRIDE (Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege)
- Cloud security readiness and maturity.
- Incident Response and Threat Hunting capacity.
- Auto-remediation capabilities.
- Incident handling automation maturity.
(*) Workload relevance and data classification are defined by the corporation’s risk framework initiative. Examples:
High: major monetary loss and image perception damage, long term business impact, low recovery success
Medium: sustainable monetary loss and image perception damage, short term business impact, high recovery success
Low: no measurable monetary loss and image perception damage, no business impact, recovery is not applicable
Secret: major monetary loss and image perception damage, long term business impact, low recovery success
Confidential: sustainable monetary loss and image perception damage, short term business impact, high recovery success
Unclassified: no measurable monetary loss and image perception damage, no business impact, recovery is not applicable
- Alert triage queue
- Threat hunting queue
- Archive queue
The process to define where the alert will end up is dependent on all the factors enumerated previously. A basic queuing decision is as follows:
- Specific risk framework mandate, including but not limited to, industry regulation, statutory compliance, business requirement. In this scenario, the workload has high relevance or data is classified as secret.
- Specific threat model requirement to start formal incident response process.
- Auto-remediation failed for alerts where workload has medium or high relevance or data classification is secret or confidential.
- Auto-remediation successful for workload with medium or high relevance or data classification is secret or confidential.
- Auto-remediation failed for workload with low relevance or data classification is unclassified.
- Auto-remediation succeeded for workload with low relevance or data classification is unclassified.