A go-to partner for outsourced services, the customer designs and builds smart, multi-disciplinary security and integrated offerings powered by AI. They orchestrate customer experience, security, and facilities management seamlessly for higher cost-efficiencies to empower their clients’ future. With a presence across 6 countries, the customer adds to capabilities of organizations through their systems integration and exhaustive technology development capabilities.
The customer wanted to consolidate security incidents from their multiple accounts in the AWS Landing Zone. Planning to have automation in place for responding effectively to certain security findings, the customer wanted to have security controls for reducing the time taken in the manual response process.
As the first step towards automation, the customer focused on the detection and remediation resulting from access management and privileges. The target was to set up the automated security operations and focus on the identity and access management controls. This is to ensure that all the events and incidents from the different accounts are detected and presented on a single pane of glass and selected incidents can be remediated either fully automated or with assistance.
Blazeclan’s proposed a solution of AWS Security Hub integration with all accounts in the landing zone. This would provide the customer a uniplanar view of security alerts from the central security hub account. The AWS Security Hub would then be integrated with Amazon EventBridge while the selected security events would be auto-remediated using AWS Lambda Functions. In the end, the security hub alters would be integrated with the existing ticketing tool. Following steps were carried out for implementing the solution.
- Since the customer’s landing zone was organization-enabled, AWSsupported feature was used to automate and streamline the process of integrating the security hub with its member accounts. This enabled the security hub in all the existing member accounts and new accounts added to landing zone.
- There was no creation of any additional codes for IaC. All necessary actions were performed and handled automatically by AWS.
- The detection was based on the IAM controls for CIS and AWS Security Foundation that were configured to be reported from all the accounts integrated with AWS Security Hub. After that, lambda scripts were written for selected events and incidents that could be remediated fully automated. The second set of lambda scripts were created for controls that could be remediated in an automated manner but would need a manual intervention to ensure no impact on work.
Benefits Achieved by the Customer
- The security platform for integration and automated response helped the customer to visualize and understand their security issues on a single plane, thereby driving their strategies of cloud security and compliance.
- With the help of automated response to IAM findings, the attack surface was reduced.
- A single pane of window was achieved for all IAM incidents across 100+ accounts.
- Effective use of serverless services enabled automatic response and remediation of the selected set of incidents. This further saved significant cost of security operations overall.
|AWS Security Hub||Amazon GuardDuty||AWS Identity & Access Management|
|AWS Config||Amazon CloudWatch||Amazon SNS|
|AWS Lambda||Amazon S3||Amazon EventBridge|
|AWS Management Console||Amazon Cloudtrail||AWS Cloudformation|