ECO SIR roles and responsibilities
The following tables describe your (the "Customer") responsibilities compared with our ("AWS") responsibilities for the phases of security incident response (SIR).
Security incident response – Detect Phase
| Activity | Customer |
AWS |
|---|---|---|
Logging, indicators, and monitors | ||
Configuring logs and monitors to enable event management for instances and accounts |
C, I |
R |
Monitoring supported AWS services for security alerts |
I |
R |
Deploying and managing endpoint security tools |
R |
I |
Monitoring for malware on instances using endpoint security |
R |
I |
Notifying customers of detected events through outbound messaging |
I |
R |
Routing notification and subsequent updates to the decision makers for specific accounts and workloads to improve incident response time |
C, I |
R |
Defining, deploying, and maintaining ECO standard detection services such as Amazon GuardDuty and AWS Config |
C, I |
R |
Recording AWS infrastructure change logs |
C |
R |
Implementing and maintaining an allowlist, denylist, and custom detections on supported AWS security services, such as Amazon GuardDuty |
R |
C |
Security incident response – Analyze Phase
| Activity | Customer |
AWS |
|---|---|---|
Investigation and analysis | ||
Performing an initial response for supported security alerts that a supported detection source generated |
I |
R, C |
Using available data to assess false and true positives |
C, I |
R |
Reviewing ECO assessments for false and true positives that ECO shares |
R |
C |
Generating a snapshot of affected instances that ECO shares with the customer, if needed |
I |
R |
Performing forensics tasks such as chain of custody, file system analysis, memory forensics, and binary analysis |
R |
C, I |
Collecting application logs to help with troubleshooting |
C |
R |
Collecting data and logs that are accessible to ECO to help investigate security alerts |
C, I |
R |
Responding to the alerts to help ECO investigate |
R |
C, I |
Engaging SMEs within ECO services on security investigations |
C, I |
R |
Engaging third-party vendors during investigation such as for EPS anti-malware |
R, C, I |
I |
Sharing investigation logs from supported AWS services to customers during an investigation |
I |
R |
Communication | ||
Sending alerts and notifications from ECO detection sources for managed resources |
I |
R |
Managing alerts and notifications for application security events |
C |
R |
Engaging the customer security point of contact during a security incident investigation |
R |
I |
Security incident response – Contain Phase
| Activity | Customer |
AWS |
|---|---|---|
Containment strategy and execution | ||
Deciding on the execution of the agreed containment strategy and agreeing with the consequences that might affect the availability of services during the containment window |
R |
C, I |
Backing up affected systems for further analysis |
C, I |
R |
Containing applications and workloads through application-specific configuration or response activity |
C, I |
R |
Defining the containment strategy based on the security incident and the affected resource |
C, I |
R |
Enabling encryption and secure storage of point-in-time backups of affected systems |
R, C, I |
C |
Executing supported containment actions for AWS resources, including Amazon Elastic Compute Cloud (Amazon EC2) instances, network, and AWS Identity and Access Management (IAM) |
C, I |
R |
Security incident response – Eradicate Phase
| Activity | Customer |
AWS |
|---|---|---|
Eradication strategy and execution | ||
Defining eradication options based on the security incident and the affected resource on customer application workloads |
R |
C, I |
Deciding on the agreed eradication strategy, timing of eradication execution and the consequences |
R |
C, I |
Defining eradication steps based on the security incident and the affected resource on ECO managed workloads |
C, I |
R |
Eradicating and hardening AWS resources including Amazon EC2 instances, network, and IAM |
C, I |
R |
Eradicating and hardening applications and workloads through application-specific configuration or response activity |
R |
I |
Security incident response – Recover Phase
| Activity | Customer |
AWS |
|---|---|---|
Recovery preparation and execution | ||
Configuring backup plans and targets as requested by the customer |
C |
R |
Reviewing backup plans to restore ECO managed workloads |
C |
R |
Performing backup restoration activities for resources of supported AWS services |
I |
R |
Reviewing and confirming backup plans to restore customer applications and workloads post-incident |
R, A |
C, I |
Backing up customer applications, application configurations, and deployment settings to restore customer applications and workloads post-incident |
C, I |
R, A |
Restoring applications and customer workloads through application-specific restoration steps |
R, C |
R, C |
Security incident response – PIR Phase
| Activity | Customer |
AWS |
|---|---|---|
Post incident reporting | ||
Sharing appropriate lessons learned and action items with customer as required |
I |
R, A |