Benchmark: BP03 Automate response to events
Description
Using automation to investigate and remediate events reduces human effort and error, and allows you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-well-architectedStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select BP03 Automate response to events.
Run this benchmark in your terminal:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec04_bp03Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_well_architected.benchmark.well_architected_framework_sec04_bp03 --shareControls
- Elasticsearch domain should send logs to CloudWatch
- ELB application and classic load balancer logging should be enabled
- At least one multi-region AWS CloudTrail should be present in an account
- Database logging should be enabled
- VPC flow logs should be enabled
- Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)
- At least one trail should be enabled with security best practices
- AWS Redshift audit logging should be enabled