Overview
This Guidance helps you identify vulnerabilities that can affect the availability, performance, or security of your cloud environment. Using this capability, you can assess the impact and scope of threats and vulnerabilities and then quickly address or remediate them. By implementing threat and vulnerability management, you can protect your data and fortify your security posture as your cloud environment grows.
How it works
These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.
Step 1
Establish an incident response team and an incident response plan.
Step 2
Enable and delegate the administration of Amazon GuardDuty and AWS Security Hub (using the AWS Organizations integration documentation for GuardDuty and Security Hub) to the Security Tooling account in the security organizational unit (OU). This moves the administration of these tools outside the management account.
Step 3
GuardDuty findings will be sent to Security Hub. Use Security Hub in the aggregation AWS Region of your Security Tooling account for a comprehensive view of the security state in your Organizations and to respond to security incidents.
Step 4
Use AWS Config to deploy a configuration recorder and delivery channel to all operating Regions (that are not prohibited by your service control policies) in all member accounts to identify and track assets. Deploy an AWS Config aggregator in the Security Tooling account to centrally view or query the resource configuration and compliance of AWS Config resources.
Step 5
Create AWS Config rules using detective controls in AWS Control Tower or using AWS Config managed rules to evaluate your resource configurations and confirm alignment to best practices.
Step 6
Enable Amazon Inspector in your Organizations accounts to identify vulnerabilities in Amazon Elastic Compute Cloud (Amazon EC2), your Amazon Elastic Container Registry (Amazon ECR) container images, and AWS Lambda functions. The findings will be sent to Security Hub and are centralized to Security Hub in the Security Tooling account.
Step 7
Respond to the incident based on your incident response plan. This can include recovering systems, remediating findings, or isolating affected systems. Automated Security Response on AWS creates predefined response and remediation actions based on industry compliance standards.