With a grasp on what you are responsible for from an AWS customer perspective, you can now turn to the pillars that will be tested in the exam. The first pillar is incident response (IR). Knowing how to prepare and then react, in both a manual and an automated fashion, when something occurs in one of your AWS accounts is necessary—not only from the exam perspective but also in real life.

As you will see in this chapter, preparation is crucial to IR. This includes gathering the correct team members responsible for participating in any IR activities. Preparation also includes creating (and testing) runbooks and playbooks that can help team members know the exact set of instructions to follow and cut down on the response time in the event of an incident. Further, enabling the correct set of logs and visibility services so that you and your team can construct monitoring mechanisms and alerts for abnormal activity are all part of the pre-incident process.

There is a requirement to understand AWS and networking concepts, and you will need access to the AWS Management Console and an active AWS account to follow along with any of the step-by-step guides presented in this chapter.

The goals of IR can be broken down into short-term and long-term goals. Ultimately, you want to be in a position where you no longer have to engage in IR. A short-term goal for an organization may be to ensure that all the logging is in place and notification systems are enabled in case of an incident. Long-term goals may take the form of compiling scripted playbooks with detailed steps so that new team members can quickly and efficiently respond to an incident or, better yet, prepare automated responses. For instance, services such as Systems Manager documents and Lambda functions that trigger automatically based on items found in logs mean no person needs to respond. The response happens before anyone can even turn on their computer.

It all begins with having a plan. A playbook with scripted steps that you or other team members can follow can relieve the stress of an event. An automated runbook or predefined templates (such as CloudFormation templates...

Moving through the Incident Response Domain, you have now come to the next critical service that you need to know about, one that will help show you what has changed after an incident has occurred—AWS Config.

AWS Config and its configuration recorder can help you take a real-time inventory of most of the resources in a single account running in a single region or can be configured to collate data across multiple regions and even multiple accounts.

The service provides an even greater functionality when it comes to security. For organizations that need to maintain a compliance security standard, AWS Config can evaluate your resources instantly or on a fixed schedule and, with the help of Config Rules, determine if they are in or out of compliance. If they are found out of compliance, you can use a combination of Lambda and System Manager to automate remediations to either destroy items that do not meet the compliance standards...

You will require access to the AWS Console with an active account along with AWS CLI access. It is also helpful to have an understanding of coding concepts for when you go through the remediation code presented in this chapter.

Traditionally, security and compliance teams have spent a great deal of time manually managing systems compliance information and taking steps to improve compliance. As a security architect or engineering team member, a part of your responsibility is to prepare the working environment (in this case, the AWS Cloud) so that, when an audit takes place, the necessary information is available. These tasks fall upon a small number of highly specialized individuals. This makes managing compliance manually a burdensome and time-consuming task that is much better automated with the use of specialized tools. After all, a manual process is not scalable in the cloud, especially as the number of accounts grows to tens or hundreds and the number of resources you need to keep track of scales exponentially with each account.

Preparing items for compliance and auditing is an annual event in a traditional IT account. This usually becomes the priority...

With the number of services rising each year in AWS, it’s easy to comprehend how difficult it can be to understand what resources you might be running within your environment. How can you keep up with what instances you have running, where, what are they running, and are the resources still needed? You might be running an infrastructure that is no longer required and got overlooked among thousands of other virtual devices in production.

With a vast network of resources running within your account, do you have a clear understanding as to which resource is connected to which? What ENI is connected to which instance? Which subnet is that instance running in? Which subnets are connected to which VPCs? Do you have a logical mapping of infrastructure that quickly and easily allows you to identify a blast radius should an incident occur or visibility into resource dependencies should you change your configuration?

On top of...

If you would like to take an automated approach to fix items that are out of compliance, then AWS provides you the ability to do this to the resources the Config Rules evaluate. System Manager Automation Documents carry out these actions.

There are several predefined auto remediations that you can select from, or you can create custom remediations to suit your organization’s needs.

Real-Life example of using automated remediations

Suppose you are part of a company that has developed an organizational-wide policy that says no EBS volume can be created without encryption. In that case, this is the perfect opportunity for automatic remediation. First, you would create a rule that would check if a volume was encrypted and would be triggered when the resource was created. If the resource failed to meet these standards, you could create a custom System Manager Automation document that would instantly destroy that EBS volume...

Many companies and organizations have moved past a single account structure and have multiple accounts and organizational units powered by AWS Organizations. You can collect all the compliance data and account configurations using an aggregator.

An aggregator in AWS Config is a type of resource that allows you to collect compliance data and configurations if you have any of the following scenarios:

If you have only a single account but need a multi-region setup then you need to use an aggregator to collect the data in all regions and present a unified view.

If you have multiple accounts and multiple regions and you want to present the findings in a unified view, then an aggregator can collect the information from all the accounts and store it in a single location.

If you are running your accounts via AWS organizations and you want to assemble all the data, then using the aggregator makes finding trends across...