Cloud Comparison

AWS Incident Response Toolchain - An Integrated Investigation Platform from CloudTrail to Security Hub

Explore the AWS incident response toolchain combining CloudTrail, Config, Detective, and Security Hub, and compare the investigation approach with Azure Sentinel.

約 7 分で読めます

Toolchain Requirements for Incident Response

When a security incident occurs, the response team must rapidly determine what happened, when it happened, who was involved, and how far the impact extends. Answering these four questions requires API call records, resource configuration change history, network traffic analysis, and visualization of relationships between entities. AWS addresses these requirements through a division of responsibilities: CloudTrail records API calls, Config tracks resource configuration changes, VPC Flow Logs capture network traffic, and Detective integrates these data sources to visualize relationships between entities. Each service specializes in its domain while being unified through Security Hub, creating an architecture that covers every phase of incident response (detection, triage, investigation, containment, recovery) using native services alone.

CloudTrail - Recording Every API Call

CloudTrail records every API call made within an AWS account and serves as the most fundamental data source for incident response. Management events (control plane operations) are retained for 90 days by default, allowing you to investigate past operations without any additional configuration. Data events (S3 object access, Lambda invocations, etc.) require explicit enablement, but once enabled, data plane operations are fully recorded as well. CloudTrail Lake, introduced in 2022, lets you query CloudTrail events directly with SQL. Previously, you had to analyze logs stored in S3 using Athena, but CloudTrail Lake enables immediate execution of investigation queries such as "all API calls made by a specific IAM role in the past 30 days." CloudTrail Insights automatically detects anomalous API call patterns, generating alerts when API calls occur at unusual frequencies or types. This enables early detection of attacker reconnaissance activities and privilege escalation attempts.

Resource Configuration Change Tracking with Config

AWS Config continuously records configuration changes for resources in your account and provides a configuration timeline. In incident response, Config's role is to accurately determine how resource configurations changed before and after an incident. For example, if data leakage from an S3 bucket is suspected, checking Config's timeline reveals when the bucket policy was changed and when public access block was disabled. Config Rules enable real-time detection of configuration changes that violate security standards. Setting a rule like "security groups must not allow SSH from 0.0.0.0/0" triggers detection the moment a violation occurs. An advanced Config feature is the aggregator, which consolidates Config data from all accounts in an Organization into a single account for cross-organizational resource configuration search and analysis. Even when an incident spans multiple accounts, the aggregator enables unified investigation.

Integrated Investigation with Detective and Security Hub

Amazon Detective automatically ingests CloudTrail logs, VPC Flow Logs, GuardDuty findings, and EKS audit logs into a graph database. It visualizes relationships between entities (IAM users, roles, IP addresses, EC2 instances, etc.) as a graph, enabling intuitive understanding of the full incident picture. When GuardDuty generates an alert for suspicious API calls, you can start an investigation from that alert in Detective. You can trace the related IAM role's historical behavior patterns, geographic distribution of source IP addresses, and other resources operated by the same role over time to determine the scope of compromise. Security Hub functions as a centralized dashboard that aggregates these detection and investigation results. Through ASFF (AWS Security Finding Format), findings from GuardDuty, Inspector, Macie, Config, and third-party tools are displayed in a unified format. By connecting automated remediation actions to Lambda via EventBridge, you can automate containment procedures for specific finding types.

Comparison with Azure Sentinel's Investigation Approach

Azure Sentinel (now Microsoft Sentinel) is a cloud-native SIEM/SOAR with a fundamentally different approach to incident response than AWS. Sentinel takes a centralized approach, aggregating all logs into a Log Analytics workspace and analyzing them cross-functionally with KQL (Kusto Query Language). This contrasts with AWS's distributed approach where each service handles its specialty and connects through ASFF. Sentinel's strengths include multi-source support that can ingest logs from Azure, AWS, GCP, and on-premises environments, plus deep integration with Microsoft 365 Defender. The ability to investigate email threats, endpoint anomalies, and identity-based attacks in a unified manner is highly valuable for organizations leveraging the Microsoft ecosystem. On the other hand, Sentinel uses consumption-based pricing tied to log ingestion volume, which can make cost management challenging in large environments. AWS's GuardDuty and Detective include log ingestion costs in their pricing, eliminating the need to worry about the volume of data being analyzed. To systematically learn incident response practices, related books on Amazon are a helpful resource.

Summary

AWS's incident response toolchain consists of complete API call recording with CloudTrail, resource configuration change tracking with Config, entity relationship visualization with Detective, and centralized finding aggregation with Security Hub. The distributed architecture where each service specializes in its domain while connecting through ASFF enables coverage from incident detection through investigation and containment without requiring a third-party SIEM. Azure Sentinel has strengths in multi-source support and Microsoft ecosystem integration, but requires log ingestion cost management. AWS's approach offers the advantage of easy setup - just enable each service to have an investigation platform ready - combined with predictable pricing that includes log analysis costs. The first step toward improving incident response maturity is enabling CloudTrail and Config across all accounts and building a visibility foundation with Security Hub.

Related Articles

AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.AWS Incident Response and Transparency - How Correction of Errors Builds TrustExplore how AWS publishes detailed post-incident analysis reports and uses the Correction of Errors (COE) process for continuous improvement, compared with Azure and GCP incident response practices.AWS Compliance - Over 143 Certifications from ISMAP to PCI DSS That Outpace the CompetitionExplore the breadth of AWS's 143+ compliance certifications, focusing on ISMAP, SOC, PCI DSS, and HIPAA, and compare the certification coverage with Azure and GCP.

More on This Topic

Amazon.com Is AWS's Biggest Customer - How Internal Dogfooding Drives Service QualityStarting from the fact that Amazon.com's e-commerce site, Prime Video, and Alexa all run on AWS, this article explores how internal dogfooding elevates service quality and how Prime Day's traffic demands have shaped AWS's architecture.The Layered Architecture of AWS AI/ML Services - Flexibility Through the Three Tiers of SageMaker, Bedrock, and API ServicesThis article organizes AWS AI/ML services into three layers - SageMaker (full control), Bedrock (managed generative AI), and Rekognition/Comprehend/etc. (API-based) - and explains AWS's flexibility through comparisons with GCP Vertex AI and Azure OpenAI Service, including custom silicon integration.AWS Data Analytics and Data Lakes - The Integrated Ecosystem of Athena, Glue, Lake Formation, and RedshiftExplore the integrated data analytics stack of AWS Athena, Glue, Lake Formation, Redshift, and QuickSight, comparing it with Azure Synapse Analytics and GCP BigQuery to highlight AWS's advantages in ecosystem integration.AWS Backward Compatibility and API Stability - The Trust Built by Never Retiring Published APIsExamine AWS's track record of never retiring published APIs, compare it with Azure's rebranding history and GCP's service discontinuation cases, and explain why API stability matters for enterprises.AWS Availability Zone Design - How Physical Separation and Fault Isolation Create a Reliability AdvantageExamine the design philosophy behind AWS AZs as physically independent data center clusters, compare them with Azure and GCP availability zones, and analyze the differences in fault isolation maturity through real-world incident examples.The Market Value of AWS Skills and the Salary Premium of CertificationsAnalyze the number of job postings requiring AWS skills, the salary premium for certification holders, and the impact on career paths, comparing with Azure and GCP to evaluate the return on investment of AWS certifications.AWS Technical Communities and Learning Resources - From re:Invent to JAWS-UGCompare the richness of AWS technical communities including re:Invent, AWS Summit, and JAWS-UG, along with localized documentation and training resources, against Azure and GCP to highlight AWS's learning ecosystem advantages.AWS Compliance - Over 143 Certifications from ISMAP to PCI DSS That Outpace the CompetitionExplore the breadth of AWS's 143+ compliance certifications, focusing on ISMAP, SOC, PCI DSS, and HIPAA, and compare the certification coverage with Azure and GCP.

Similar Articles and Services

Security Investigation and Threat Analysis - Streamlining Incident Response with Amazon DetectiveLearn how to use Amazon Detective for security incident investigation and threat analysis. This guide covers the detection-to-investigation workflow with GuardDuty integration and root cause identification through graph-based analysis.AWS Security Service Integration - Native Threat Detection from GuardDuty to Detective Without a SIEMWe explain the native threat detection mechanism through the integration of GuardDuty, Security Hub, Detective, and Macie, and compare the design philosophy differences with Azure Sentinel.Investigating Security Incidents with Amazon Detective - Root Cause Identification Through Graph AnalysisLearn about investigating GuardDuty findings with Detective, entity profiles, and leveraging behavior graphs.Amazon DetectiveA service that automatically analyzes security findings and investigates root causesAudit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.