=Paper=
{{Paper
|id=Vol-3826/short6
|storemode=property
|title=Incident response with AWS detective controls (short paper)
|pdfUrl=https://ceur-ws.org/Vol-3826/short6.pdf
|volume=Vol-3826
|authors=Dmytrii Tykholaz,Roman Banakh,Lesya Mychuda,Andrian Piskozub,Roman Kyrychok
|dblpUrl=https://dblp.org/rec/conf/cpits/TykholazBMPK24
}}
==Incident response with AWS detective controls (short paper)==
https://ceur-ws.org/Vol-3826/short6.pdf
Incident response with AWS detective controls ⋆
Dmytrii Tykholaz1,†, Roman Banakh1,†, Lesya Mychuda1,†, Andrian Piskozub1,†
and Roman Kyrychok2,*,†
1
Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine
2
Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudryavska str., 04053 Kyiv, Ukraine
Abstract
Loss of access to an Amazon Web Services (AWS) account can be caused by a variety of factors, ranging
from human errors to hacks. Such incidents can have serious consequences for both companies and
individuals, especially in the context of safeguarding critical data and ensuring business continuity. One of
the most effective strategies for preventing AWS account loss is automating security configurations and
incident response processes. Utilizing AWS Detective Controls tools in combination with deployment
through Terraform addresses these challenges, enhancing security and resilience to potential attacks. The
combined use of AWS Detective Controls and Terraform enables organizations to achieve enhanced
security and efficiently respond to incidents. AWS Detective Controls acts as a constant monitoring
environment, detecting potential threats and giving administrators the ability to quickly react to any
incidents that could cause account loss. Terraform automates security configuration processes across the
entire infrastructure, ensuring unified security rules for all AWS services. With such solutions,
organizations can control their AWS accounts at a more advanced level, reducing the risk of account loss
and ensuring protection against cyber threats. This is especially important in today’s world, where cloud
services play a key role in business processes and data protection. This topic is particularly relevant because
securing information systems in cloud environments such as AWS presents a significant challenge for many
companies. Research into investigating incidents using AWS Detective Controls helps improve awareness
and establish new or improved approaches to detecting various security threats and swiftly responding to
breaches. The results of such research will be useful for any organization using AWS, as well as for
cybersecurity researchers, especially those working to improve the protection of cloud infrastructures.
Keywords
information security, cybersecurity, AWS, account loss, cybersecurity, data protection, incident response,
AWS Detective Controls, Terraform, security automation, threat detection, security-as-code, cloud service
provide, DevSecOps, cloud environment, breaches 1
1. Introduction Leveraging insights from these studies, as well as our prior
research, we extended their methodologies to address
In developing this research, we built on both previous specific gaps in cloud infrastructure deployment and
studies and our own earlier work [1] in protecting cloud security management, proposing solutions aimed at
infrastructure and access to it. In the research paper [2] enhancing security resilience by protecting cloud resources
authors proposed a framework for enterprise cloud and reducing the amount of misconfiguration that might
infrastructure, while researchers in [3] focused on security occur due to manual mistakes [6].
challenges using a “Security-as-Code” approach. In research For 2024 stolen credentials are the leading cause of data
[4] author discusses the impact of decoys involving breaches—16% of all incidents with data compromised,
blockchain technologies on the state of information security contributing to a significant increase in intellectual property
of the organization and the process of researching theft, following the IBM Report: Escalating Data Breach
cybercrime which is very important in cloud computing Disruption Pushes Costs to New Highs [7]. These breaches
environments as after gaining the access to account take an average of 10 months to detect and contain,
attackers may launch computing resources for their benefit. resulting in substantial financial losses.
Often, to gain access to an account, attackers choose not to From 2023 to 2024, several major data breaches
attack the system directly but to gain access through the occurred, including:
weakest link—a person. In such cases, detecting the attack
is much more challenging since access to the resource often Critical MOVEit vulnerability led to the compromise
looks legitimate [5]. of more than 2,300 organizations, including Shell,
British Airways, the US Department of Energy, and
CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0003-1014-5601 (D. Tykholaz);
and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0000-0001-6897-8206 (R. Banakh);
∗
Corresponding author. 0000-0001-8266-1782 (L. Mychuda);
†
These authors contributed equally. 0000-0002-3582-2835 (A. Piskozub);
dmytrii.tykholaz.mkbbi.2023@lpnu.ua (D. Tykholaz); 0000-0002-9919-9691 (R. Kyrychok)
roman.i.banakh@lpnu.ua (R. Banakh); © 2024 Copyright for this paper by its authors. Use permitted under
Creative Commons License Attribution 4.0 International (CC BY 4.0).
lesia.z.mychuda@lpnu.ua (L. Mychuda);
andrian.z.piskozub@lpnu.ua (A. Piskozub);
r.kyrychok@kubg.edu.ua (R. Kyrychok)
CEUR
Workshop
ceur-ws.org
ISSN 1613-0073
190
Proceedings
� Ontario’s government birth registry, BORN Ontario, unauthorized actions, potentially leading to severe
the latter of which led to the compromise of consequences.
information for 3.4 million people [8]. To prevent this, AWS’s best practices recommend using
Boeing incident was assessing a claim made by the multi-factor authentication (MFA) [16]. This requires not
only a password but also a code generated on a user’s
Lockbit cybercrime gang that it had “a tremendous
device. Additionally, AWS offers the use of authorization
amount” of sensitive data stolen from them [9]. policies to limit users’ access to resources and services. One
AT&T data-specific fields were contained in a data set of the key services for managing access is Identity and
released in the dark [10]. Access Management (IAM) [17]. AWS IAM allows for
Bank of America data breaches: a data breach managing individual users, user groups, and access rights to
exposing the personally identifiable information (PII) various AWS account resources.
of 57,028 customers [11].
1.1.2. Use of weak passwords or poor password
Data leaks often result from password theft, which management
remains one of the most common causes of sensitive data Using weak passwords or improperly storing passwords is
loss [12]. A notable example is the data leak incident also a serious security threat to AWS. If a password lacks
involving stolen passwords that hackers used to access user sufficient complexity or is stored in an insecure location, an
accounts. For example, Boeing’s stolen data was sold on the attacker can easily steal it and gain access to an account.
dark web, giving other cybercriminals access to private To prevent this, AWS recommends using complex
information and confidential stuff [13, 14]. passwords containing various symbols, numbers, and
These cases demonstrate that losing access to social lowercase letters. Furthermore, AWS advises using different
media accounts typically results in privacy violations or loss passwords for each service and storing them in a secure
of control over personal information. However, losing location, such as a password manager.
access to cloud computing accounts such as AWS can have
much more severe consequences. Attackers gaining access 1.1.3. Phishing attacks
to these accounts can not only steal critical data but also
alter infrastructure settings, potentially leading to Phishing and spear-phishing attacks are social engineering
substantial financial losses, business damage, or even the techniques used to gain access to accounts. In the context of
shutdown of critical operations [15]. AWS, attackers send emails or messages that appear to be
While password loss can have serious consequences, legitimate communications from AWS or another related
cloud computing accounts like AWS are particularly service. These messages may contain embedded links to
vulnerable because they typically grant access to large fake websites or malicious software that collects user
volumes of data and critical resources. This underscores the information.
importance of not only creating strong passwords but also To avoid such situations, AWS advises users to be
implementing multi-factor authentication and access cautious with emails and messages from unknown or
control systems to protect such accounts. unverified sources. Additionally, AWS recommends using
protection technologies that can detect and block malicious
1.1. Potential threats of AWS account loss software and websites, such as antivirus and anti-phishing
tools.
Amazon Web Services (AWS) is one of the leading cloud Inadequate data protection can also lead to the loss of
computing platforms today—thousands of companies use an AWS account. Attackers may gain access to user data
AWS daily to store and process their data. However, there through various methods, including password and identity
is a risk of losing access to an AWS account, which could theft. Specifically, attackers may use unsecured networks
lead to data breaches and severe security violations. Given and exploit software vulnerabilities to access data [18-20].
that AWS is a highly powerful and flexible platform offering To prevent this, AWS’s best practices recommend using
a wide range of services and infrastructure for data storage, methods such as encryption, data loss prevention via
processing, and deployment of applications online backups, and monitoring data access. Additionally, AWS
(including more than 200 services), the likelihood of such recommends using secure networks and reliable
incidents is quite significant. communication channels for data transmission [21].
Various attack vectors can lead to the loss of an AWS
account. Potential threats include: 1.1.4. AWS denial of service
Insufficient authentication and authorization. AWS may deny service to users who violate service
Use of weak passwords or poor password conditions or cause problems for other users. For instance,
management. AWS may suspend accounts involved in criminal activity or
spamming. Additionally, if a company or individual does
Phishing and spear-phishing attacks. not pay for services, AWS may block the account.
Use of unsecured APIs. To prevent service denial, AWS encourages users to
Inadequate network security. adhere to service terms and avoid violating platform rules.
Weak authentication and authorization mechanisms. Additionally, AWS recommends regular payment of bills to
prevent account suspension.
1.1.1. Insufficient authentication and
authorization 1.1.5. Weak authentication and authorization
mechanisms
Authentication and authorization are critical security
aspects in AWS. Insufficient authentication can allow an In some cases, AWS users do not adequately support the
attacker to gain access to an account and take malicious security of their accounts. For example, users may fail to
actions. Insufficient authorization enables users to perform regularly update software or improperly configure security
191
�policies, which could lead to system security breaches and In summary, AWS users should pay close attention to their
account loss. account security and utilize various tools and best practices
AWS encourages users to regularly update software and to protect their accounts. Among other things, detective
properly configure their security policies. Additionally, controls such as CloudTrail, VPC Flow Logs, Guard Duty,
AWS recommends using various security tools, such as and Trusted Advisor can help identify potential security
security monitoring, antivirus software, and data loss incidents and prevent their consequences.
prevention. In addition, it is recommended that you pay attention to
setting up access to AWS resources, using multi-factor
2. Use of AWS detective controls for authentication, regularly updating passwords, and using
data encryption.
incident analysis
Given the information in the previous section, it can be 2.1. Incident response to account loss and
concluded that the potential loss of access to an Amazon access compromise
Web Services (AWS) account can have serious
Although the use of detective controls significantly reduces
consequences for users, including loss of critical data,
the risk of losing access to an AWS account or being hacked,
significant financial recovery costs, and severe reputational
such events can still happen. Therefore, it’s essential to have
damage for businesses. To avoid such problems, users
a well-prepared incident response plan in place to minimize
should follow cybersecurity best practices and utilize tools
the consequences and quickly regain control over the
designed to protect AWS accounts.
account while protecting critical data and ensuring business
Some of the most important tools that ensure security
continuity.
in AWS are detective controls [22], such as CloudTrail [23],
Accounts may be compromised for various reasons,
VPC Flow Logs [24], GuardDuty [25], and Trusted Advisor
including data theft involving login credentials such as
[26]. Each of these tools plays a crucial role in maintaining
usernames and passwords, often resulting from phishing
system security.
attacks, social engineering, or targeted password attacks.
CloudTrail allows users to track actions within their Attackers may also attempt to access accounts by
compromising personal keys used for authentication. Stolen
accounts and log them. This helps identify suspicious
or hacked keys can allow attackers to unauthorizedly log in
or unauthorized activities, which is a critical to systems, retrieve confidential information, or even make
component for preventing potential threats. dangerous changes to infrastructure or software.
VPC Flow Logs monitor network activity, helping Such incidents can lead to significant security breaches,
detect anomalies that may indicate security threats. risking confidential data leakage, disruption of critical
GuardDuty automatically identifies potential threats processes, and damage to reputations. Attackers can exploit
and sends security incident alerts, allowing these vulnerabilities to alter system settings, modify
administrators to quickly respond to threats. software, or even block access to essential resources. These
actions can result in major financial losses, penalties, a loss
Trusted Advisor helps improve security, optimize of customer trust, and operational delays.
AWS service usage, and provides recommendations To prevent such scenarios, it’s essential not only to
for enhancing security practices. apply control mechanisms but also to have tools ready for a
swift incident response. This includes clearly defined steps
According to the AWS “Security Incident Response for identifying and isolating compromised accounts,
Guide” [19], organizations using AWS Detective Controls resetting passwords and keys, and restoring the system to a
generally reduce the time required to detect and respond to stable state. Continuous employee training and the
security incidents. The introduction of additional services implementation of multi-factor authentication also play a
allows for faster actions to mitigate threats compared to key role in reducing risks.
companies not using these tools. Moreover, AWS provides Thus, even with strong security measures like AWS
detailed analytics through tools such as AWS Security Hub, Detective Controls, having a comprehensive incident
which offers convenient reports on security status and response plan is critical for companies to react quickly to
vulnerabilities, helping to promptly identify and resolve threats, minimizing the negative impact on their operations.
issues. GuardDuty, in turn, detects unusual activity in the The first step [28] in responding to account loss or
account that could be a sign of possible breaches. access compromise is stopping the malicious activity. The
Using these tools can significantly enhance AWS following actions should be taken to ensure security:
account security, reduce the risk of data loss, and maintain
business process stability, making them essential Change the password or access key: In case of
components of a modern cybersecurity strategy. suspicious activity on the account, it’s necessary to
According to a study by IBM, the cost of detecting and immediately change the user’s password or access
eliminating cyberattacks increases by 13.7% annually on
key. After changing the password or key, all
average [27]. However, according to the same study, the use
of certain technologies and tools can reduce the cost of configuration files that use the old password or key
eliminating the consequences of cyberattacks from 2.7% to should be updated.
9.7%. Disable the account: If there is suspicion that
One of the best practices for using these tools is to attackers have access to the account, it’s critical to
regularly check CloudTrail and VPC Flow Logs to identify disable the account immediately to prevent further
potential security incidents and monitor network activity. damage.
In addition, it is recommended that you set up automatic Contact AWS Support: Upon detecting suspicious
subscriptions to Guard Duty notifications and regularly
activities, users should contact AWS Support and
check the recommendations from Trusted Advisor to ensure
optimal security for your account.
192
� report possible account loss or compromised security AWS Trusted Advisor is a service that provides
[29]. recommendations to users to optimize costs, ensure high
availability, and improve the security of their AWS
In response to account loss or compromised access to AWS infrastructure environment. The service uses data from
resources, Amazon Web Services provides an extensive set users’ accounts and analyzes it to make recommendations
of tools to ensure system security and protection. After such to optimize costs, ensure high availability, and improve the
an incident, it’s important to gather detailed information security of its infrastructure environment. Trusted Advisor
about what occurred during a specific period across the offers several categories of recommendations, including
entire system. This information will help administrators security, performance, cost, and availability.
understand when and where the incident happened and These controls allow administrators to detect potential
assess its impact on systems and security. Elements of threats and incidents at an early stage and take the
detective control can be used for a complete understanding necessary steps to prevent account loss and ensure the
of the events. security of the AWS environment.
One of the most important tools is AWS CloudTrail, In addition to detecting threats and incidents, detective
which provides detailed logs of user and resource activity controls also help users gain more detailed information
within the AWS environment. The service stores activity about these events. This can involve changing access
logs, such as logins, logouts, resource creation and deletion, settings, performing additional security checks, and
and data access. CloudTrail logs allow administrators to collaborating with AWS Support for further investigation
detect unusual activity, as well as verify and analyze and incident response. It’s important to note that detective
potential security threats. With CloudTrail, you can track controls are part of a broader range of security tools
who performed what actions in your systems, which helps provided by AWS. By combining various tools and
detect and investigate potential security incidents. following best security practices, organizations and
The use of AWS Detective Controls tools can companies can enhance the security of their AWS
significantly reduce the risk of account loss and environments and protect their accounts and data.
unauthorized access to AWS resources. They provide
automatic methods for configuring monitoring, auditing, 2.3. Using infrastructure as code to simplify
and responding to security events. This allows companies the implementation of detective
and individual users to ensure maximum security for their controls
accounts and resources within the AWS environment.
With the introduction of AWS cloud services, the use of
2.2. Detective controls for incident analysis Infrastructure as Code (IaC), or automation tools such as
Terraform, is becoming increasingly popular [30]. These
To prevent account loss in the AWS cloud platform and for tools allow users to manage and scale AWS infrastructure
incident analysis, AWS offers various detective controls. using code [31].
The detection tools provided by the AWS Cloud Platform According to a 2021 analysis by Emergen Research, the
play an important role in preventing account loss and market size for infrastructure programming tools reached
analyzing security incidents. They help identify unusual or $0.64 billion, and it is expected to grow at a compound
suspicious account activity that may indicate a potential annual growth rate (CAGR) of 240% over the next ten years
security incident. [32]. Revenue is projected to grow from $0.64 billion in 2021
The key detective controls offered by AWS include: to $4.45 billion by 2030. The main driver of this growth is
the demand for better optimization of business operations,
CloudTrail necessitating new technological approaches as software
VPC Flow Logs systems become increasingly complex and advanced.
Amazon GuardDuty Terraform is a tool for automating the deployment of
AWS Trusted Advisor. computational infrastructure, which can be used to
automate the configuration and management of AWS
CloudTrail is an AWS-managed recording system that infrastructure. Terraform supports a wide range of
provides a detailed audit of actions performed in an account. platforms, from major cloud providers like AWS, Azure, and
The service logs all API calls, configuration changes, and GCP, to smaller platforms such as Hetzner or 1&1.
user interactions, thereby creating a detailed trace for Additionally, it works with software such as Docker,
further analysis and reconstruction of the sequence of Kubernetes, and Chef, extending its functionality and
events. CloudTrail logs are stored in highly available allowing users to work with these in tandem.
Amazon S3 storage and can be analyzed using the AWS Using Terraform, administrators can create and manage
Management Console or third-party data analysis tools. various AWS services, establish security policies, and
VPC Flow Logs is a service that records all network respond to incidents quickly. One of the key benefits of
activity that occurs in an Amazon Virtual Private Cloud using Terraform for deploying and managing AWS services
(VPC), such as incoming and outgoing packets over the is the ability to store the entire infrastructure in code. This
network. AWS provides various ways to view VPC Flow simplifies the replication and scaling of infrastructure while
Logs. Users can use the AWS VPC Flow Log Console or use ensuring security and preventing human errors.
third-party tools to analyze and visualize the data. Additionally, Terraform makes it easy to manage more
Amazon GuardDuty is a service that analyzes data from complex infrastructures, including networks, databases, and
various sources, including CloudTrail activity logs and VPC other services. Tasks addressed with Terraform and other
Flow Logs, to identify potential security incidents. The infrastructure automation tools include reducing the risk of
service uses machine learning algorithms to detect unusual human error, efficiently managing infrastructure
account activity, such as unauthorized access to account configuration, and minimizing the time required to
resources or configuration changes. provision and scale infrastructure while ensuring
compliance with security and regulatory standards.
193
�This and much more make Terraform a powerful tool for and prone to human error. Each configuration change requires
managing infrastructure, both within a single hosting individual attention, leading to inconsistencies and potential
platform and across multiple platforms simultaneously. security risks if best practices are not consistently applied. On
In summary, the use of Terraform or other the other hand, automated configuration employs tools and
infrastructure automation tools can help administrators scripts to enforce security policies systematically and
more efficiently and securely manage their company’s AWS consistently. This approach reduces the likelihood of human
infrastructure, reduce deployment time, minimize errors, error, enhances speed and efficiency, and allows for scalability
and ensure compliance with security and regulatory in managing security across large environments. While manual
standards. configuration can offer flexibility in unique scenarios,
automated configuration ensures a more uniform and reliable
3. Security as code—overview implementation of security measures, critical for maintaining a
strong security posture in rapidly evolving software
Security as Code is a partially new approach that integrates development landscapes.
security practices into the software development lifecycle
by treating security configurations and policies as code. 4. Automating the configuration of
This methodology enables teams to automate and version
control security measures alongside application code, some detective controls with
ensuring that security is built-in from the start rather than Terraform
tacked on later. By embedding security checks into
Continuous Integration/Continuous Deployment (CI/CD) As we mentioned earlier, manually configuring these
pipelines, organizations can proactively identify and services is not a complicated process, the use of software-
remediate vulnerabilities before they reach production. This based configuration using Terraform is becoming more
shift not only fosters a culture of security awareness among common due to the need for flexibility and re-deployment
developers but also aligns security objectives with business capabilities. The code samples provided below provide the
goals, resulting in a more resilient and secure software basic structure for the setup of each detective control
ecosystem. mentioned in this research with a brief explanation of each
step and configuration.
3.1. Advantages of security as code
4.1. Using infrastructure as code to set up
One of the primary advantages of Security as Code is the
enhancement of overall security posture through automation.
AWS GuardDuty
By automating security checks, organizations can reduce the resource "aws_guardduty_detector" "_" {
risk of human error and ensure consistent enforcement of enable = true
security policies across all environments. Additionally, this }
approach enables faster feedback loops, allowing developers resource "aws_guardduty_organization_admin_account"
to detect and address vulnerabilities early in the development "account_id" {
admin_account_id = "123456789012"
process, thereby minimizing costly post-release fixes. }
Furthermore, version control for security configurations resource "aws_guardduty_invite_accepter" "detector" {
facilitates easier auditing and compliance, as teams can track detector_id = aws_guardduty_detector._.id
changes and maintain a clear history of security measures. master_account_id =
Ultimately, Security as Code promotes collaboration between aws_guardduty_detector.primary.account_id
development and security teams, fostering a more agile and }
efficient approach to software development while resource "aws_guardduty_organization_configuration"
significantly improving security outcomes. "example" {
auto_enable_organization_members = "ALL"
detector_id = aws_guardduty_detector._.id
3.2. Disadvantages of security as code datasources {
s3_logs {
Despite its benefits, Security as Code also presents auto_enable = true
challenges. One significant disadvantage is the potential for }
over-reliance on automation, which can lead to kubernetes {
complacency among teams. If security checks are audit_logs {
automated without proper oversight, critical vulnerabilities enable = true
may go unnoticed, resulting in security gaps. Additionally, }
implementing Security as Code requires a cultural shift and }
malware_protection {
the acquisition of new skills, which can be daunting for
scan_ec2_instance_with_findings {
some organizations. The initial setup of automated security ebs_volumes {
tools can also be resource-intensive, requiring time and auto_enable = true
investment that may not yield immediate returns. }
Moreover, integrating these practices into existing }
workflows may introduce complexity, making it essential to }
carefully manage the transition to ensure it doesn’t disrupt }
development processes. }
resource "aws_guardduty_detector" "_" {
provider = aws._
3.3. Difference between manual }
and automated configuration
Manual configuration involves human intervention to set
security policies and controls, which can be time-consuming
194
�This GuardDuty configuration enables comprehensive
threat detection across an AWS organization. # Create subnet
The aws_guardduty_detector resource activates resource "aws_subnet" "test_subnet" {
GuardDuty for the entire organization, allowing it to vpc_id = aws_vpc.test_vpc.id
cidr_block = "10.0.1.0/24"
monitor and detect potential security threats. availability_zone = "us-west-1a"
To streamline the process, the }
aws_guardduty_invite_accepter automatically accepts
GuardDuty invitations for member accounts, ensuring # Create flow log
centralized control over the organization’s security. resource "aws_flow_log" "test_flow_log" {
The configuration part ensures that GuardDuty is iam_role_arn = aws_iam_role.test_flow_log_role.arn
automatically enabled for all current and future traffic_type = "ALL"
organization members, while also enabling advanced data log_destination = "arn:aws:logs:us-west-
1:123456789012:log-group:/aws/vpc/flow-logs"
source monitoring. This includes automatic logging for S3
access, Kubernetes audit logs for tracking resource access vpc_id = aws_vpc.test_vpc.id
and changes, and malware protection scans on EC2 subnet_id = aws_subnet.test_subnet.id
instances, particularly focusing on EBS volumes. Finally, a }
secondary aws_guardduty_detector resource configures
another detector for use by the primary account for full # Create IAM role for flow logs
security coverage. resource "aws_iam_role" "test_flow_log_role" {
name = "test-flow-log-role"
assume_role_policy = <