Case study – an AWS threat detection and incident handling ecosystem
After the introduction of Amazon logging and monitoring services in the last section, we will conduct a case study on an actual security incident and details on how it was handled, by introducing an automatic threat detection and remediation system that the author developed for an AWS customer.
CloudSpace is an Amazon enterprise customer that functions as a reseller of AWS services to end customers, with over 4,000 AWS accounts in total. During 2017-2018, CloudSpace experienced three cases of account compromise. Three accounts were compromised in the first attack in November 2017, and four more in the second attack in March 2018. The third incident occurred in August 2018, when another five accounts were compromised. These incidents led to about $200,000 in losses. Investigations thereafter revealed that no threat-detection services were enabled and the Amazon fraud detection team’s customer notifications...