Which solution meets the company’s current and future logging requirements?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company’s on-premises data center forwards DNS logs to a third-party security incident events management (SIEM) solution that alerts on suspicious behavior.The company wants to introduce a similar capability to its AWS accounts that includes automatic remediation.The company expects to double in size within the next few months.

Which solution meets the company’s current and future logging requirements?

Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Set up specific rules within Amazon EventBridge to trigger an AWS Lambda function for remediation steps.

Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Use the current on-premises SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Ingest all AWS CloudTrail logs, VPC Flow Logs, and DNS logs into a single Amazon S3 bucket in a designated security account. Launch an Amazon EC2 instance and install the current SIEM to monitor the logs and send a notification to an Amazon SNS topic to alert the security team of remediation steps.

Enable Amazon GuardDuty and AWS Security Hub in all Regions and all accounts. Designate a master security account to receive all alerts from the child accounts. Create an AWS Organizations SCP that denies access to certain API calls that are on an ignore list.

Explanations:

Enabling Amazon GuardDuty and AWS Security Hub allows for security alerts and threat detection across all AWS accounts. EventBridge can be used to trigger an AWS Lambda function to handle automatic remediation, making this solution scalable and automated, which is ideal for the company’s growing infrastructure.

While ingesting logs into an S3 bucket and using the current SIEM is a viable option, it does not provide automatic remediation. Additionally, integrating with Amazon SNS for notifications is manual and lacks scalability, especially for future growth.

Launching an EC2 instance with the current SIEM introduces unnecessary complexity and manual effort. It doesn’t provide an automated remediation solution and could lead to inefficiencies as the company grows. Using an EC2 instance for log analysis and remediation is not optimal for scalability.

While GuardDuty and Security Hub provide threat detection, the use of an AWS Organizations SCP to deny API calls based on a static ignore list isn’t an effective method for dynamic or automated remediation. SCPs are more for controlling access and not for handling security incidents through automated remediation.

Leave a Reply

Your email address will not be published. Required fields are marked *

five − three =