Incident Response
Incident response is one of the areas of the Security Pillar of the AWS Well-Architected Framework. It emphasises the preparation required for security teams to operate effectively during an event. This section provides recommendations on logging that could be used for forensic purposes and how to engage with AWS during such events.
Access Logs
Access logs offer detailed insights into the requests that reach the load balancer. These details are important during a troubleshooting or security event. Note that ALB Access Logs or NLB TLS Access Logs are not enabled by default, and enabling it will incur S3 storage costs.
Best Practice
[ALB, NLB] Enable access logs.
The destination for the ALB or NLB logs is an S3 bucket. In multi-account environments, it’s recommended to consolidate the logs into a centralised account. This approach allows for the application of security controls to protect the confidentiality and integrity of the logs.
Best Practice
[ALB, NLB] Consolidate access logs in the Log Archive account.
Having the logs in a centralised location not only enhances security but also simplifies integration with tools for log analysis. From these logs, you can extract valuable insights such as Top Requesters, Average Request Size, and most-used TLS Ciphers.
Best Practice
[ALB, NLB] Use a tool to analyze access logs.
References and Further Reading
Enable access logs for your Application Load Balancer
Access logs for your Network Load Balancer
Application and Classic Load Balancers logging should be enabled
AWS Config Rule elb-logging-enabled
Security OU and accounts - Log archive account
Security OU – Log Archive account
Querying Application Load Balancer logs
Querying Network Load Balancer logs
Step by step for Log Analysis with Amazon Athena
CDK & CloudFormation samples for Log Analysis with Amazon Athena
Events
ELB Service events and changes are notified via AWS Health. Customers should proactively monitor AWS Health in order to action whenever there is a communication from AWS. Also, consulting AWS Health Dashboard should be part of the playbook for incident response.
Best Practice
[ALB, NLB] Monitor events using AWS Health.
References and Further Reading
Engage AWS Security
Knowing how to engage AWS Security can help during an active security event. AWS has a variety of security channels that can be used:
- AWS Security: aws-security@amazon.com
- AWS Customer Incident Response Team
- AWS Shield Response Team (SRT) / DDoS response support
- Vulnerability Reporting
- Abuse Reporting
- AWS Compliance Information
- Testing / Simulated Events Form
Best Practice
[ALB, NLB] Include contacting AWS in your security incident playbooks.
References and Further Reading