Chapter 9. Monitoring and Incident Response
Until now, I have talked about how to design a microservice system that has controls in place to prevent malicious users from gaining unauthorized access to resources. This chapter takes a slightly different approach. Consider what would happen if, despite your best efforts at segmenting, controlling access, and applying network security measures, an attacker has somehow managed to exploit a vulnerability in your organization and gain unauthorized access.
Every company has to deal with security breaches at some point. Incidents do not necessarily indicate how secure a company’s security posture is or how they conduct their business. A humorous quotation made by John Chambers at the World Economic Forum that I generally like to use whenever I talk about information security is, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.” It is their level of preparedness for an incident that distinguishes a good company from a bad one.
In this chapter, I will be going through various types of detective controls that administrators have on AWS resources. It is the goal of detective controls to make security incidents more visible and reduce the time required for their detection or response. AWS provides every user with the ability to monitor all the activities that happen on the cloud. This includes the ability to log every action, specify metrics, and alert for any suspicious behavior. ...