Automating Incident Response with EventBridge
Last updated
Last updated
In this part, we'll explore the practical elements of integrating EventBridge with other services, including the basic deployment of AWS Lambda functions and the creation of Amazon SNS topics. We'll cover the skills required to use Lambda and SNS services in this lab, but previous experience with EventBridge is assumed.
EventBridge and the incident response process
EventBridge can stream events from a range of AWS services, assisting in event-driven automation and the monitoring of operational changes in your AWS estate. AWS’s security-focused services (such as GuardDuty) create events when new security findings are made, and other AWS services, such as Lambda or SNS, can be integrated into event streams to take actions when events are received. This can enable automation and reduce delays in the incident response process.
AWS Lambda functions are serverless functions that can interact with and configure resources in other services (along with many other capabilities). They can be invoked by EventBridge if the function is set as the target of a rule, and they can even ingest the event to use the data provided within. This means that Lambda functions can be used to automate a response to a potential incident.
Amazon’s Simple Notification Service (SNS) is a notification service. Events can be forwarded to SNS topics, where each topic – the target of these events – can have multiple subscriptions. A subscription is an external location, such as a phone number, email address, or HTTP endpoint, to which notifications are forwarded. This is used to rapidly notify security teams of unusual events.
Examples of Lambda and SNS in incident response include:
GuardDuty creates a new security finding, such as one of your EC2 instances being connected to by an IP address that isn't on your list of trusted IPs. An event is generated and streamed via an event bus to a Lambda function. The Lambda function creates a new entry in the EC2 network access control list (ACL) to block the unknown IP address.
EventBridge can monitor user API calls via CloudTrail. You might receive an event for an “API call via CloudTrail” that a user has attempted the CreateUser operation in the IAM service. If your organization only uses IAM roles, this would be suspicious. The event is streamed to an SNS topic target, with a subscription to an email address; your security team is instantly notified and can investigate.
