Incident Preparedness and Security Configuration Curriculum
Use AWS service features and capabilities to configure services to be prepared for incidents (for example, by provisioning access, deploying security tools, minimizing the blast radius, configuring AWS Shield Advanced protections)
Curriculum Overview: Incident Preparedness and Security Configuration
This curriculum focuses on the proactive phase of the incident response lifecycle. It covers how to use AWS service features to prepare environments for security events, focusing on access provisioning, the deployment of detection tools, and the architectural minimization of the "blast radius."
Prerequisites
Before starting this module, students should possess the following foundational knowledge:
- AWS Fundamentals: Basic understanding of Global Infrastructure (Regions/AZs) and core services (EC2, S3, VPC).
- Identity & Access Management (IAM): Familiarity with users, groups, roles, and policies.
- Network Security: Understanding of Security Groups, Network ACLs, and CIDR notation.
- Security Principles: Basic knowledge of the Principle of Least Privilege and the Shared Responsibility Model.
Module Breakdown
| Module | Focus Area | Difficulty |
|---|---|---|
| 1. Identity Foundations | Provisioning access, IAM roles, and temporary credentials (STS). | Intermediate |
| 2. Proactive Detection | Deploying GuardDuty, Inspector, and Security Hub. | Intermediate |
| 3. Perimeter & Edge Defense | Configuring AWS Shield Advanced and WAF to mitigate DDoS/Web attacks. | Advanced |
| 4. Blast Radius Mitigation | Network segmentation, VPC Network Firewall, and Account structure. | Advanced |
| 5. Automated Readiness | Systems Manager (SSM) and Incident Response Runbooks. | Intermediate |
Learning Objectives per Module
Module 1: Identity & Access Provisioning
- Implement Least Privilege using IAM permission boundaries and session policies.
- Configure AWS STS for issuing temporary security credentials to minimize long-term credential risk.
- Establish "break-glass" procedures for emergency administrative access.
Module 2: Security Tooling Deployment
- Enable Amazon GuardDuty for continuous monitoring of VPC Flow Logs and CloudTrail events.
- Deploy Amazon Inspector to automate vulnerability management and network reachability assessments.
- Centralize findings using AWS Security Hub for a "single-pane-of-glass" view of security posture.
Module 3: Shielding the Edge
- Configure AWS Shield Advanced for layer 3, 4, and 7 DDoS protection.
- Integrate AWS WAF with CloudFront and ALB to block common web exploits (OWASP Top 10).
Module 4: Minimizing the Blast Radius
- Design network segmentation using VPC subnets and AWS Network Firewall.
- Utilize AWS Organizations and Service Control Policies (SCPs) to restrict high-risk actions at the account level.
Success Metrics
To demonstrate mastery of this curriculum, the learner must be able to:
- Reduce Mean Time to Detect (MTTD): Successfully configure GuardDuty and CloudWatch alarms to trigger notifications within 5 minutes of a simulated anomaly.
- Infrastructure Compliance: Achieve a 100% "passed" rate on AWS Security Hub foundational security best practices.
- Blast Radius Verification: Perform a reachability analysis using Network Access Analyzer to prove that sensitive data subnets are isolated from public-facing subnets.
- Policy Validation: Use the IAM Policy Simulator to verify that provisioned roles cannot perform actions outside their designated scope.
Real-World Application
In a professional environment, these skills are critical for:
- Regulatory Compliance: Meeting requirements for SOC2, PCI-DSS, or HIPAA by ensuring audit logs (CloudTrail) and encryption (KMS) are provisioned correctly before data is stored.
- Financial Protection: Using AWS Shield Advanced to gain cost protection against scaling charges incurred during a massive DDoS attack.
- Operational Resilience: Building "Self-Healing" architectures where AWS Config rules automatically remediate non-compliant resources (e.g., closing an open S3 bucket).
Visualizing Blast Radius Protection
The following diagram illustrates how hierarchical controls (SCPs → VPC → Security Groups) create concentric circles of protection.
\begin{center} \begin{tikzpicture} % Outer boundary (AWS Organization) \draw[thick, dashed] (0,0) circle (3.5cm); \node at (0,3.2) {\textbf{AWS Organization (SCPs)}};
% Account boundary
\draw[thick, blue] (0,0) circle (2.5cm);
\node[blue] at (0,2.2) {\textbf{AWS Account (IAM)}};
% Network boundary
\draw[thick, red] (0,0) circle (1.5cm);
\node[red] at (0,1.2) {\textbf{VPC (Network Firewall)}};
% Resource boundary
\draw[fill=gray!20] (0,0) circle (0.5cm);
\node at (0,0) {\textbf{Data}};
% Threat containment arrow
\draw[->, ultra thick, orange] (-4,0) -- (-1.6,0);
\node[orange, rotate=90] at (-3, 0.5) {Incident Impact Stop};\end{tikzpicture} \end{center}
[!IMPORTANT] Preparation is 90% of incident response. An AWS environment that is "secure by design" through proper configuration often prevents incidents from occurring entirely, or ensures they are detected and contained before they become catastrophic.