# Types of security controls There are four main types of security controls: + [Preventative controls](preventative-controls.md) – These controls are designed to prevent an event from occurring. + [Proactive controls](proactive-controls.md) – These controls are designed to prevent the creation of noncompliant resources. + [Detective controls](detective-controls.md) – These controls are designed to detect, log, and alert after an event has occurred. + [Responsive controls](responsive-controls.md) – These controls are designed to drive remediation of adverse events or deviations from your security baseline. An effective security strategy includes all four types of security controls. While preventative controls are a first line of defense to help prevent unauthorized access or unwanted changes to your network, it is important to make sure that you establish detective and responsive controls so that you know when an event occurs and can take immediate and appropriate action to remediate it. Using proactive controls add another layer of security because it complements preventative controls, which are generally stricter in nature. The following sections describe each type of control in more detail. They discuss the objectives, implementation process, use cases, technological considerations, and target outcomes of each control type. # Preventative controls *Preventative controls* are security controls that are designed to prevent an event from occurring. These guardrails are a first line of defense to help prevent unauthorized access or unwanted changes to your network. An example of a preventative control is an AWS Identity and Access Management (IAM) role that has read-only access because it helps prevent unintended write actions from unauthorized users. **Topics** + [ ## Objectives ](#preventative-objectives) + [ ## Process ](#preventative-process) + [ ## Use cases ](#preventative-use-cases) + [ ## Technology ](#preventative-technology) + [ ## Business outcomes ](#preventative-business-outcomes) ## Objectives The primary purpose of preventative controls is to minimize or avoid the likelihood of a threat event from occurring. The control should help prevent unauthorized access to the system and help prevent unintentional changes from affecting the system. The following are the objectives of preventative controls: + **Segregation of duties** – Preventative controls can establish logical boundaries that limit privileges, allowing permissions to perform only specific tasks in designated accounts or environments. Examples include: + Segmenting workloads to different accounts for specific services + Separating and accounts into isolated production, development, and test environments + Delegating access and responsibilities to multiple entities to perform specific functions, such as using IAM roles or assumed roles to allow only specific job functions to perform certain actions + **Access control** – Preventative controls can consistently grant or deny access to resources and data in the environment. Examples include: + Preventing users from exceeding their intended permissions, known as *privilege escalation* + Restricting access to applications and data to only authorized users and services + Keeping the administrator group small + Avoiding use of the root user credentials + **Enforcement** – Preventative controls can help your company adhere to its policies, guidelines, and standards. Examples include: + Locking configurations that serve as the minimum security baseline + Implementing additional security measures, such as multi-factor authentication + Avoiding nonstandard tasks and actions that are performed by unapproved roles ## Process *Preventative control mapping* is the process of mapping controls to requirements and using policies to implement those controls by restricting, disabling, or blocking. When mapping controls, consider the proactive effect they have on the environment, resources, and users. The following are best practices for mapping controls: + Strict controls that disallow an activity should be mapped to production environments where the action requires review, approval, and change processes. + Development or contained environments might have fewer preventative controls in order to provide the agility to build and test. + The classification of data, risk level of an asset, and risk management policy dictate the preventative controls. + Map to existing frameworks as evidence of compliance with standards and regulations. + Implement preventative controls by geographical location, environment, accounts, networks, users, roles, or resources. ## Use cases ### Data handling A role is created that can access all data in an account. If there is sensitive and encrypted data, overly permissive privileges might present a risk, depending on the users or groups that can assume the role. By using a key policy in AWS Key Management Service (AWS KMS), you can control who has access to the key and can decrypt the data. ### Privilege escalation If administrative and write permissions are assigned too broadly, a user can circumvent the limits of their intended permissions and grant themselves additional privileges. The user who creates and manages a role can assign a *permissions boundary*, which defines the maximum allowable privileges for the role. ### Workload lockdown If your business does not have a foreseeable need to use specific services, enable a *service control policy* that limits which services can operate in an organization’s member accounts or restricts services based on the AWS Region. This preventative control can reduce the scope of impact if a threat actor manages to compromise and access an account in your organization. For more information, see [Service control policies](#scps) in this guide. ### Impact to other applications Preventative controls can enforce the use of services and features, such as IAM, encryption, and logging, in order to meet the security requirements of your applications. You can also use these controls to help protect against vulnerabilities by limiting the actions that a threat actor can exploit due to unintentional errors or misconfiguration. ## Technology ### Service control policies In AWS Organizations, [service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) (SCPs) define the maximum available permissions for member accounts in an organization. These policies help accounts stay within access control guidelines of the organization. Note the following when designing SCPs for your organization: + SCPs are preventative controls because they define and enforce the maximum allowable permissions for IAM roles and users in the organization’s member accounts. + SCPs affect only the IAM roles and users in the member accounts of the organization. It does not affect users and roles in the management account of the organization. You can make an SCP more granular by defining the maximum permissions for each AWS Region. ### IAM permissions boundaries In AWS Identity and Access Management (IAM), a [permissions boundary](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) is used to set the maximum permissions that an identity-based policy can grant to an IAM entity (users or roles). An entity's permission boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permission boundaries. Note the following when using permissions boundaries: + You can use an AWS managed policy or a customer managed policy to set the boundary for an IAM entity. + A permissions boundary does not grant permissions on its own. The permissions boundary policy limits the permissions that are granted to the IAM entity. ## Business outcomes ### Time savings + By adding automation after you set up preventative controls, you can reduce the need for manual intervention and reduce the frequency of errors. + Using permission boundaries as a preventative control helps security and IAM teams focus on critical tasks, such as governance and support. ### Regulatory compliance + Companies might need to comply with internal or industry regulations. These might be regional restrictions, user and role restrictions, or service restrictions. SCPs can help you stay compliant and avoid violation penalties. ### Risk reduction + With growth, the number of requests to create and manage new roles and policies increases. It becomes more challenging to understand the context of what is required to manually create the permissions for each application. Establishing preventative controls acts as a baseline and helps prevent users from performing unintended actions, even if they were accidentally given access. + Applying preventative controls to access policies provides an additional layer to help protect data and assets. # Proactive controls *Proactive controls* are security controls that are designed to prevent the creation of noncompliant resources. These controls can reduce the number of security events handled by responsive and detective controls. These controls make sure that deployed resources are compliant before they are deployed; therefore, there is no detection event that requires response or remediation. For example, you might have a detective control in place that notifies you if an Amazon Simple Storage Service (Amazon S3) bucket becomes publicly accessible. You might also have a responsive control that remediates it. Although you already have these two controls in place, you can add another layer of protection by adding a proactive control. Through AWS CloudFormation, the proactive control can prevent the creation of update of any S3 bucket that has public access enabled. Threat actors could still bypass this control and deploy or modify resources outside of CloudFormation. In this case, the detective and responsive controls would remediate the security event. **Topics** + [ ## Objectives ](#proactive-objectives) + [ ## Process ](#proactive-process) + [ ## Use cases ](#proactive-use-cases) + [ ## Technology ](#proactive-technology) + [ ## Business outcomes ](#proactive-business-outcomes) ## Objectives + Proactive controls help you improve security operations and quality processes. + Proactive controls can help you adhere to security policies, standards, and regulatory or compliance obligations. + Proactive controls can prevent the creation of noncompliant resources. + Proactive controls can reduce the number of security findings. + Proactive controls provide another layer of protection against threat actors who bypass preventative controls and attempt to deploy noncompliant resources. + In combination with preventative, detective, and responsive controls, proactive controls can help you address potential security incidents. ## Process Proactive controls complement preventative controls. Proactive controls reduce your organization's security risk and enforce the deployment of compliant resources. These controls evaluate resource compliance before the resource is created or updated. Proactive controls are generally implemented by using CloudFormation hooks. If the resource fails the proactive control validation, you can choose to either fail the resource deployment or present a warning message. The following are some tips and best practices for building proactive controls: + Make sure that proactive controls are mapped to your organization’s compliance requirements. + Make sure that proactive controls follow security best practices for the associated service. + Use CloudFormation StackSets or another solution to deploy proactive controls across multiple AWS Regions or accounts. + Make sure that the warning or failure message associated with a proactive control is explicit and clear. This helps developers understand the reason why the resource did not pass the evaluation. + When building new proactive controls, start in observe mode. This means that you send a warning message instead of failing the resource deployment. This helps you understand the impact of the proactive control. + Enable logging in Amazon CloudWatch Logs for proactive controls. + If you need to monitor the invocation of a specific proactive control, use an Amazon EventBridge rule and subscribe to invocation events for the CloudFormation hook. ## Use cases + Prevent deployment of noncompliant resources + Meet compliance requirements + Improve code quality by enforcing remediation of a security issue before deployment + Reduce operational downtime associated with remediating security issues after deployment ## Technology ### CloudFormation hooks [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html) helps you set up AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle across AWS accounts and Regions. [CloudFormation hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html) proactively evaluate the configuration of your CloudFormation resources before they are deployed. If noncompliant resources are found, it returns a failure status. Based on the hook failure mode, CloudFormation can fail the operation or present a warning that allows the user to continue with the deployment. You can use available hooks, or you can develop your own. ### AWS Control Tower [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) helps you set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower offers preconfigured [proactive controls](https://docs.aws.amazon.com/controltower/latest/userguide/proactive-controls.html) that you can enable in your landing zone. If your landing zone is setup using AWS Control Tower, you can use these optional proactive controls as a starting point for your organization. You can build additional, custom proactive controls in CloudFormation as needed. ## Business outcomes ### Less human effort and error Proactive controls reduce the risk of human error that leads to the deployment of noncompliant resources. They also reduce human effort later in the development cycle because they make developers consider resource security prior to deployment. This applies the *shift left* practice to building secure resources because it forces compliance earlier in the development lifecycle. ### Reduced costs It is generally more expensive to fix a security issue after deployment. Identifying and fixing issues earlier in the development cycle reduces the cost of development. ### Time savings Because proactive controls prevent the deployment of noncompliant resources, they reduce the amount of time you spend triaging and fixing security issues. They also the number of security findings, which detective controls would identify later in the development cycle. ### Regulatory compliance If your organization needs to comply with internal or industry regulations, proactive controls can help you stay compliant and avoid violation penalties. ### Risk reduction Proactive controls help developers deploy compliant and more securely built resources, so proactive controls reduce your organization's security risk. # Detective controls *Detective controls* are security controls that are designed to detect, log, and alert after an event has occurred. Detective controls are a foundational part of governance frameworks. These guardrails are a second line of defense, notifying you of security issues that bypassed the preventative controls. For example, you might apply a detective control that detects and notifies you if an Amazon Simple Storage Service (Amazon S3) bucket becomes publicly accessible. While you might have preventative controls in place that disable public access to S3 buckets at the account level and then disable access through SCPs, a threat actor can circumvent these preventative controls by logging in as an administrative user. In these situations, a detective control can alert you to the misconfiguration and potential threat. **Topics** + [ ## Objectives ](#detective-objectives) + [ ## Process ](#detective-process) + [ ## Use cases ](#detective-use-cases) + [ ## Technology ](#detective-technology) + [ ## Business outcomes ](#detective-business-outcomes) ## Objectives + Detective controls help you improve security operations processes and quality processes. + Detective controls help you meet regulatory, legal, or compliance obligations. + Detective controls provide security operations teams with visibility to respond to security issues, including advanced threats that bypass the preventative controls. + Detective controls can help you identify the appropriate response to security issues and potential threats. ## Process You implement detective controls implemented in two phases. First, you set up the system to log events and resource states to a centralized location, such as Amazon CloudWatch Logs. After centralized logging is in place, you analyze those logs to detect anomalies that might indicate a threat. Each analysis is a control that is mapped back to your original requirements and policies. For example, you can create a detective control that searches the logs for a specific pattern and generates an alert if it matches. Detective controls are used by security teams to improve their overall visibility into threats and risks that their system might be exposed to. ## Use cases ### Detection of suspicious behavior Detective controls help identify any anomalous activity, such as compromised privileged user credentials or access to or exfiltration of sensitive data. These controls are important reactive factors that can help your company identify and understand the scope of anomalous activity. ### Detection of fraud These controls help detect and identify a threat inside your company, such as a user who is circumventing policies and performing unauthorized transactions. ### Compliance Detective controls help you meet compliance requirements, such as Payment Card Industry Data Security Standard (PCI DSS), and can help prevent identity theft. These controls can help you discover and protect sensitive information that is subject to regulatory compliance, such as personally identifiable information. ### Automated analysis Detective controls can automatically analyze logs to detect anomalies and other indicators of unauthorized activity. You can automatically analyze logs from different sources such as AWS CloudTrail logs, [VPC Flow Log](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html), and Domain Name System (DNS) logs, for indications of potentially malicious activity. To help with organization, aggregate security alerts or findings from multiple AWS services to a centralized location. ## Technology A common detective control is implementing one or more monitoring services, which can analyze data sources, such as logs, to identify security threats. In the AWS Cloud, you can analyze sources such as AWS CloudTrail logs, Amazon S3 access logs, and Amazon Virtual Private Cloud flow logs to help detect unusual activity. AWS security services, such as Amazon GuardDuty, Amazon Detective, AWS Security Hub CSPM, and Amazon Macie have built-in monitoring functionalities. ### GuardDuty and Security Hub CSPM [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html) uses threat intelligence, machine learning, and anomaly-detection techniques to continuously monitor your log sources for malicious or unauthorized activity. The dashboard provides insights into the real-time health of your AWS accounts and workloads. You can integrate GuardDuty with [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html), a cloud security posture management service that checks for adherence to best practices, aggregates alerts, and enables automated remediation. GuardDuty sends findings to Security Hub CSPM as a way to centralize information. You can further integrate Security Hub CSPM with security information and event management (SIEM) solutions to extend monitoring and alerting capabilities for your organization. ### Macie [Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html) is a fully managed data security and data privacy service that uses machine learning and pattern matching to help discover and protect sensitive data in AWS. The following are some of the detective controls and features available in Macie: + Macie inspects bucket inventory and all objects stored in Amazon S3. This information can be presented in a single dashboard view, providing visibility and helping you evaluate bucket security. + For discovering sensitive data, Macie uses built-in, managed data identifiers and also supports custom data identifiers. + Macie integrates natively with other AWS services and tools. For example, Macie issues findings as Amazon EventBridge events, which are automatically sent to Security Hub CSPM. The following are best practices for configuring detective controls in Macie: + Enable Macie on all accounts. By using the delegated management feature, enable Macie on multiple accounts by using AWS Organizations. + Use Macie to evaluate the security posture of the S3 buckets in your accounts. This helps prevent data loss by providing visibility into data location and access. For more information, see [Analyzing your Amazon S3 security posture](https://docs.aws.amazon.com/macie/latest/user/monitoring-s3-inventory.html) (Macie documentation). + Automate discovery of sensitive data in your S3 buckets by running and scheduling automated processing and data discovery jobs. This inspects S3 buckets for sensitive data on a regular schedule. ### AWS Config [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) audits and records the compliance of AWS resources. AWS Config discovers existing AWS resources and generates a full inventory, along with the configuration details of each resource. If there are any configuration changes, it records those changes and provides notification. This can help you detect and roll back unauthorized infrastructure changes. You can use AWS managed rules and can create custom rules. The following are best practices for configuring detective controls in AWS Config: + Enable AWS Config for each member account in the organization and for each AWS Region that contains resources that you want to protect. + Set up Amazon Simple Notification Service (Amazon SNS) alerts for any configuration changes. + Store configuration data in an S3 bucket and use Amazon Athena to analyze it. + Automate the remediation of noncompliant resources by using [Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html), a capability of AWS Systems Manager. + Use EventBridge or Amazon SNS to set up notifications about noncompliant AWS resources. ### Trusted Advisor [AWS Trusted Advisor](https://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor.html) can be used as a service for detective controls. Through a set of checks, Trusted Advisor identifies areas where you can optimize your infrastructure, improve performance and security, or reduce costs. Trusted Advisor provides recommendations based on AWS best practices that you can follow to improve your services and resources. Business and Enterprise Support plans provide access to all available checks for the [pillars](https://docs.aws.amazon.com/wellarchitected/latest/framework/the-pillars-of-the-framework.html) of the AWS Well-Architected Framework. The following are best practices for configuring detective controls in Trusted Advisor: + Review the check level summary + Implement resource-specific recommendations for warning and error states. + Check Trusted Advisor frequently to actively review and implement its recommendations. ### Amazon Inspector [Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html) is an automated vulnerability management service that, after being enabled, continuously scans your workloads for any unintended network exposure or software vulnerabilities. It contextualizes findings into a risk score that can help you determine next steps, such as remediating or confirming compliance status. The following are best practices for configuring detective controls in Amazon Inspector: + Enable Amazon Inspector on all accounts and integrate it into EventBridge and Security Hub CSPM to configure reporting and notifications for security vulnerabilities. + Prioritize remediations and other actions based on the Amazon Inspector risk score. ## Business outcomes ### Less human effort and error You can achieve automation by using infrastructure as code (IaC). Automating deployment, configuration of monitoring and remediation services and tools reduces the risk of manual errors and reduces the amount of time and effort required to scale these detective controls. Automation helps with the development of security runbooks and reduces manual operations for security analysts. Regular reviews help tune the automation tools and continuously iterate and improve the detective controls. ### Appropriate actions against potential threats Capturing and analyzing events from logs and metrics is crucial to gaining visibility. This helps analysts act on security events and potential threats to help secure your workloads. Being able to quickly identify which vulnerabilities exist helps analysts take appropriate actions to address and remediate them. ### Better incident response and investigative handling Automation of detective control tools can increase the speed of detection, investigation, and recovery. Automated alerting and notifications based on defined conditions enable security analysts to investigate and respond appropriately. These responsive factors can help you identify and understand the scope of anomalous activity. # Responsive controls *Responsive controls* are security controls that are designed to drive remediation of adverse events or deviations from your security baseline. Examples of technical responsive controls include patching a system, quarantining a virus, shutting down a process, or rebooting a system. **Topics** + [ ## Objectives ](#responsive-objectives) + [ ## Process ](#responsive-process) + [ ## Use cases ](#responsive-use-cases) + [ ## Technology ](#responsive-technology) + [ ## Business outcomes ](#responsive-business-outcomes) ## Objectives + Responsive controls can help you create runbooks for common types of attacks, such as phishing or brute force. + Responsive controls can implement automated responses to potential security issues. + Responsive controls can automatically remediate unintended or unapproved actions on AWS resources, such as deleting unencrypted S3 buckets. + Responsive controls can be orchestrated to work with preventative and detective controls to create a holistic and proactive approach for addressing potential security incidents. ## Process Detective controls are a prerequisite for establishing responsive controls. You must be able to detect the security issue before you can remediate it. You can then establish a policy or response to the security issue. For example, in the event of a brute force attack, a remediation process would be implemented. After the remediation process exists, it can then be automated and run as a script by using a programming language, such as a shell script. Consider whether the responsive control might break an existing production workload. For example, if the detective security control is *S3 buckets must not be publicly accessible* and the remediation is *turn off public access for Amazon S3*, this could have significant implications for your company and its customers. If the S3 bucket is serving a public website, turning off public access could create an outage. Databases are a similar example. If a database must not be publicly accessible through the internet, turning off public access could affect connectivity to the application. ## Use cases + Automatic response to detected security events + Automatic remediation of detected security vulnerabilities + Automated recovery control to reduce operational downtime ## Technology ### Security Hub CSPM [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) automatically sends all new findings and all updates of existing findings to EventBridge as events. You can also create custom actions that send selected findings and insight results to EventBridge. You can configure EventBridge to respond to each type of event. The event can initiate an AWS Lambda function that performs the remediation action. ### AWS Config [AWS Config](https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html) uses rules to evaluate your AWS resources and helps you remediate noncompliant resources. AWS Config applies remediation using [AWS Systems Manager Automation](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation.html). In Automation documents, you define the actions that you want to perform on resources that AWS Config determines to be noncompliant. After you create Automation documents, you can use them in Systems Manager through the AWS Management Console or by using APIs. You can choose to either manually or automatically remediate noncompliant resources. ## Business outcomes ### Minimize data loss After a cybersecurity incident, using responsive security controls can help minimize data loss and damage to the system or network. Responsive controls can also help restore critical business systems and processes as quickly as possible, adding to the resilience of your workloads. ### Reduce cost Automation reduces costs associated with human resources because team members don't have to manually respond to incidents or otherwise manage them on a case-by-case basis.