Mapping to NIST 800 Series#
800-92 Mapping#
Below is a mapping of the AWS tools and resources to the NIST Cybersecurity Log Management Planning Guide, NIST.SP.800-92r1.
AWS Service |
Function and Capability |
SP 800-92r1.ipd Task ID |
SP 800-92r1.ipd Task Summary |
Relationship Explanation |
|---|---|---|---|---|
AWS Organizations |
AWS Organizations is a service that enables centralized management and governance of AWS accounts within an organization. The NCCoE has used Organizations to create a central “security and logging” account under the root of the organization, which can be used to consolidate and analyze log data forwarded from multiple AWS accounts. |
INV-5.3 |
Update which tasks are associated with each role. |
The NCCoE establishes Service Control Policies (SCP) to restrict AWS users and roles in member accounts to access only the services required for respective account functions. For example, logging accounts may be restricted to prevent deployment of databases or other application infrastructure. |
Amazon CloudWatch |
Amazon CloudWatch can be used to ingest logs from various AWS resources and services, such as EC2 instances, into a centralized log repository in CloudWatch Logs. This log ingestion capability enables organizations to collect and analyze log data from multiple sources within their AWS environment for monitoring, troubleshooting, and security purposes. Logs are automatically collected into log streams and log groups. CloudWatch also compresses logs and supports log clearing and visualization capabilities. For application logs, the NCCoE has installed the CloudWatch Agent into EC2 instances to watch log directories and push them to CloudWatch. |
INV-1.2 |
Update the inventory to reflect standard configurations for logging and which types of assets use each standard configuration. |
The logs that CloudWatch ingests from natively integrated services are already in a standardized format. CloudWatch also automatically detects certain fields that can then be queried, as detailed in the documentation: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_AnalyzeLogData-discoverable-fields.html |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE has recommended that its application teams install the CloudWatch Agent so that logs can be centralized in CloudWatch. Some applications used for development or testing do not need to adhere to this recommendation. |
||
TS-2.10 |
Determine how log generation should or must be protected. |
Logs transmitted to CloudWatch are automatically encrypted in transit and at rest. Logs are centralized in a log archive account, where they are not altered and are available for review/audit. |
||
TS-3.1 |
Determine how long each log event should or must be preserved at the log source. |
CloudWatch logs are by default retained indefinitely, but the NCCoE has modified log retention durations according to their unique compliance requirements. |
||
Amazon CloudTrail |
Amazon CloudTrail is an AWS service that provides a record of actions taken within an AWS account. It captures API calls and related events across various AWS services, allowing organizations to track and monitor account activity for security, compliance, and operational purposes. The NCCoE has also enabled CloudTrail data events for S3. |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE requires all member accounts in the Organization to enable CloudTrail and centralize logs into the main logging and security account. |
TS-2.10 |
Determine how log generation should or must be protected. |
CloudTrail Logs stored in S3 are encrypted using SSE-S3 by default. |
||
TS-4.2 |
Determine how log preservation orders, such as a legal requirement to protect and prevent the alteration and destruction of particular log records, must be handled from a technical standpoint. |
CloudTrail log file integrity can be enabled to ensure log files have not been deleted or changed. |
||
AWS IAM Identity Center |
AWS IAM Identity Center allows organizations to create and manage federated user identities, groups, and access policies in a centralized location, streamlining the process of granting and revoking access to AWS resources across multiple accounts. The NCCoE has integrated an on-premises Active Directory with IAM Identity Center. |
INV-5.2 |
Identify any new roles and add them to the inventory. |
By adding new Users in the NCCoE’s Active Directory, IAM Identity Center synchronizes these users to also exist in AWS. |
AWS Identity and Access Management (IAM) |
AWS Identity and Access Management (IAM) is a service that helps organizations securely control access to AWS resources by allowing them to create and manage AWS users and groups and use permissions to grant or deny their access to AWS service resources. The NCCoE has established unique IAM roles and policies according to the unique jobs requirements of its staff. |
INV-5.1 |
Confirm that all roles already in the inventory are still applicable. |
The NCCoE uses IAM Access Analyzer to find stale Users and Roles that have not been accessed for an extended period of time. Refer to the documentation linked below: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html#what-is-access-analyzer-unused-access-analysis |
TS-4.1 |
Identify the access-related policy requirements for log sources and transferred logs for each type of log event. |
IAM Users, Roles, and Policies can be used to establish fine-grained access control for logging access for AWS services. Each AWS service may have further abilities to configure fine grained access control. |
||
Amazon GuardDuty |
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior within AWS accounts, utilizing machine learning, anomaly detection, and integrated threat intelligence to identify potential threats. Under the hood, GuardDuty analyzes various data sources, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect suspicious patterns and activities that may indicate account compromise, data exfiltration, or other security threats. The NCCoE has enabled GuardDuty and set up alerting mechanisms to be notified upon critical findings. |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE requires all member accounts in the Organization to enable GuardDuty. |
Amazon Detective |
Amazon Detective is a security service that automatically collects and analyzes data from various AWS sources, such as CloudTrail, VPC Flow Logs, and GuardDuty findings, to help organizations investigate potential security issues or suspicious activities within their AWS environment. The NCCoE has enabled Detective to troubleshoot any future bugs or incidents. |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE recommends Detective be enabled in accounts that may have production applications running. |
Amazon Inspector |
Amazon Inspector is a vulnerability management service that automatically scans AWS resources for potential security vulnerabilities and deviations from best practices, generating detailed findings and recommendations to help organizations identify and remediate security risks within their AWS environment. The NCCoE uses Inspector to scan both Windows and Linux instances with the Inspector agent. |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE recommends Inspector be integrated into member AWS accounts that contain Inspector-supported resources. |
AWS Security Hub |
AWS Security Hub is a cloud security posture management service that provides a comprehensive view of an organization’s security alerts and compliance status across multiple AWS accounts and services. To security posture against industry-recognized best practices and regulatory requirements, the NCCoE has deployed the AWS Foundational Security Best Practices, Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0, and NIST 800-53 Rev. 5 security standards. Security Hub is also used to centralize findings from Trusted Advisor, Config, GuardDuty, and Detective. |
INV-4.2 |
Identify all new requirements applicable to existing log source types or logging use cases. |
The NCCoE uses the National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5 security standard in Security Hub to ensure they’re meeting their organization’s unique governance requirements. |
INV-5.3 |
Update which tasks are associated with each role. |
Security Hub findings can be investigated and assigned to other AWS users in the NCCoE environment. Security Hub is configured to notify assigned resolvers and a new finding is generated. See more here: https://docs.aws.amazon.com/securityhub/latest/userguide/findings-custom-action.html |
||
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
Security Hub allows some findings that Organizations deem unnecessary to be disabled. |
||
INV-4.1 |
Confirm that all requirements already in the inventory are still applicable and remove outdated requirements. |
Security Hub standards can be removed from an AWS account so that outdated standards are no longer being tracked. |
||
Amazon Security Lake |
Amazon Security Lake is a service that enables organizations to centrally collect, store, and analyze structured and unstructured security data from various sources. The NCCoE has ingests findings from CloudTrail, GuardDuty, VPC Flow Logs, and Security Hub into Security Lake. |
TS-2.10 |
Determine how log generation should or must be protected. |
Security Lake encrypts all data in transit between AWS services. Security Lake also by default encrypts data at rest in an Amazon S3 bucket that Security Lake manages. |
TS-3.8 |
Determine if and when each type of log event should or must be transferred from active storage to cold data storage for data retention purposes. |
Security Lake findings are by default retained according to the lifecycle settings of the underlying S3 bucket |
||
Amazon VPC |
Amazon VPC is a core AWS service that allows organization to define and launch AWS resources in a logically isolated virtual network. The NCCoE has deployed Amazon EC2 instances in their VPCs and uses features such as VPC Flow Logs to log and detect anomalous network traffic. |
TS-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE requires VPC Flow Logging to be centralized from AWS accounts with production applications. |
AWS CloudFormation |
AWS CloudFormation is an Infrastructure as Code service that allows organizations to declaratively model and deploy AWS services. The NCCoE uses CloudFormation templates to manage and deploy their logging infrastructure. |
INV-2.1 |
For each type of log source, determine whether it should be required, recommended, not recommended, or prohibited. |
The NCCoE manages logging infrastructure using CloudFormation so that logging infrastructure can be deployed in a consistent manner and drift detection from the source template are automatically detected. |
INV-1.2 |
Update the inventory to reflect standard configurations for logging and which 321 types of assets use each standard configuration. |
The NCCoE uses CloudFormation to define standard configurations for not only logging infrastructure but also application infrastructure so that AWS administrators do not have to deploy services by clicking through the console, which can be slower and more error prone than using CloudFormation. |
800-53 Mapping#
Below is a mapping of the AWS tools and resources to the NIST Security and Privacy Controls for Information Systems and Organizations, NIST.SP.800-53r5.
AWS Service |
Function and Capability |
SP 800-53r5 Control Family |
SP 800-53r5 Control Name |
Relationship Explanation |
|---|---|---|---|---|
AWS Organizations |
AWS Organizations is a service that enables centralized management and governance of AWS accounts within an organization. The NCCoE has used Organizations to create a central “security and logging” account under the root of the organization, which can be used to consolidate and analyze log data forwarded from multiple AWS accounts. |
AC |
Access Control |
AWS Organizations supports the centralized creation and management of AWS accounts. AWS Organizations support service control policies (SCPs) which can be used to enforce access restrictions and control the actions that can be performed by accounts, users, and roles within an organization. AWS Organizations supports the creation of multiple organizational units (OUs), which can be used to logically group and manage accounts based on different criteria, such as business units, environments, or applications. AWS Organizations supports the use of tagging policies, which can be used to standardize tagging based on specific resource characteristics or metadata. |
Amazon CloudWatch |
Amazon CloudWatch can be used to ingest logs from various AWS resources and services, such as EC2 instances, into a centralized log repository in CloudWatch Logs. This log ingestion capability enables organizations to collect and analyze log data from multiple sources within their AWS environment for monitoring, troubleshooting, and security purposes. Logs are automatically collected into log streams and log groups. CloudWatch also compresses logs and supports log clearing and visualization capabilities. For application logs, the NCCoE has installed the CloudWatch Agent into EC2 instances to watch log directories and push them to CloudWatch. |
AC |
Access Control |
Amazon CloudWatch can collect and analyze logs from various AWS services. Amazon CloudWatch supports the creation of alarms to notify administrators upon reaching a threshold of a user-defined metric. |
CA |
Security Assessment and Authorization |
Amazon CloudWatch supports ongoing metric and application log storage. Customers can report and analyze these logs in CloudWatch or export them as well. |
||
SC |
System and Communications Protection |
Amazon CloudWatch Logs are encrypted at rest and in transit. |
||
Amazon CloudTrail |
Amazon CloudTrail is an AWS service that provides a record of actions taken within an AWS account. It captures API calls and related events across various AWS services, allowing organizations to track and monitor account activity for security, compliance, and operational purposes. The NCCoE has also enabled CloudTrail data events for S3. |
AC |
Access Control |
Amazon CloudTrail supports the logging of API calls made across most AWS services and features. These logs can be audited according to organizational requirements, such as failed login attempts and anomalous access. |
AU |
Audit and Accountability |
Amazon CloudTrail supports the logging of API calls made across most AWS services and features. These logs can be audited according to organizational requirements, such as failed login attempts and anomalous access. |
||
CA |
Security Assessment and Authorization |
Amazon CloudTrail supports ongoing logging and monitoring of AWS account level API calls. |
||
SC |
System and Communications Protection |
Amazon CloudTrail log files delivered to an Amazon S3 bucket are automatically encrypted using server-side encryption. |
||
AWS IAM Identity Center |
AWS IAM Identity Center allows organizations to create and manage federated user identities, groups, and access policies in a centralized location, streamlining the process of granting and revoking access to AWS resources across multiple accounts. The NCCoE has integrated an on-premises Active Directory with IAM Identity Center. |
AC |
Access Control |
AWS IAM Identity Center supports the creation and management of users from federated identities or users managed by Identity Center. AWS IAM Identity Center supports user access to applications and to AWS accounts. AWS IAM Identity Center supports least privilege access via features such as permission sets. |
IA |
Identification and Authentication |
AWS IAM Identity Center provides a centralized identity management solution for authenticating organizational users across multiple AWS accounts and cloud applications. AWS IAM Identity Center supports various authentication methods, such as username/password, multi-factor authentication (MFA), and integration with corporate identity providers (e.g., Active Directory, SAML). |
||
PS |
Personnel Security |
AWS IAM Identity Center supports the deactivation of AWS accounts, for accounts managed by AWS and also automatically by federated identity providers |
||
AWS Identity and Access Management (IAM) |
AWS Identity and Access Management (IAM) is a service that helps organizations securely control access to AWS resources by allowing them to create and manage AWS users and groups and use permissions to grant or deny their access to AWS service resources. The NCCoE has established unique IAM roles and policies according to the unique jobs requirements of its staff. |
AC |
Access Control |
AWS IAM supports access control to AWS resources via federated identities, or users, roles, and policies defined within IAM. AWS IAM supports the identification of unused roles via IAM Access Analyzer. |
IA |
Identification and Authentication |
AWS IAM supports access control to AWS resources via federated identities, or users, roles, and policies defined within IAM. AWS IAM also supports re-authentication and the management of temporary security credentials and session tokens. AWS IAM also supports the management and rotation of access keys and MFA devices. AWS IAM allows organizations can define and enforce password policies, including complexity requirements, expiration periods, and password reuse restrictions. |
||
PS |
Personnel Security |
AWS IAM supports the deactivation of AWS accounts, for accounts managed by AWS and also automatically by federated identity providers |
||
Amazon GuardDuty |
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior within AWS accounts, utilizing machine learning, anomaly detection, and integrated threat intelligence to identify potential threats. Under the hood, GuardDuty analyzes various data sources, such as AWS CloudTrail logs, VPC Flow Logs, and DNS logs, to detect suspicious patterns and activities that may indicate account compromise, data exfiltration, or other security threats. The NCCoE has enabled GuardDuty and set up alerting mechanisms to be notified upon critical findings. |
AC |
Access Control |
Amazon GuardDuty monitors use of accounts for compromised and exfiltrated AWS credentials. |
CA |
Security Assessment and Authorization |
Amazon GuardDuty supports ongoing monitoring and threat protection of AWS accounts. Amazon GuardDuty supports monitoring of threats for workloads running in Amazon S3, Amazon EC2, Amazon EKS, and AWS Lambda. |
||
RA |
Risk Assessment |
Amazon GuardDuty supports ongoing monitoring and threat protection of AWS accounts. Amazon GuardDuty supports monitoring of threats for workloads running in Amazon S3, Amazon EC2, Amazon EKS, and AWS Lambda. |
||
SC |
System and Communications Protection |
Amazon GuardDuty supports Runtime Monitoring for supported AWS compute services. This requires that a GuardDuty security agent be installed on instances. Amazon GuardDuty encrypts data at rest and in transit. |
||
SI |
System and Information Integrity |
Amazon GuardDuty supports ongoing monitoring and threat protection of AWS accounts. Amazon GuardDuty supports monitoring of threats for workloads running in Amazon S3, Amazon EC2, Amazon EKS, and AWS Lambda. Amazon GuardDuty correlates data from a variety of sources, such as VPC flow logs, CloudTrail logs, and DNS logs to generate findings |
||
Amazon Detective |
Amazon Detective is a security service that automatically collects and analyzes data from various AWS sources, such as CloudTrail, VPC Flow Logs, and GuardDuty findings, to help organizations investigate potential security issues or suspicious activities within their AWS environment. The NCCoE has enabled Detective to troubleshoot any future bugs or incidents. |
IR |
Incident Response |
Amazon Detective allows organizations to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Amazon Detective prebuilt data aggregations, summaries, and context help customers quickly analyze and determine the nature and extent of possible incidents. |
RA |
Risk Assessment |
Amazon Detective allows organizations to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities. Amazon Detective prebuilt data aggregations, summaries, and context help customers quickly analyze and determine the nature and extent of possible incidents. These features support customers to respond to findings in accounts and applications. |
||
Amazon Inspector |
Amazon Inspector is a vulnerability management service that automatically scans AWS resources for potential security vulnerabilities and deviations from best practices, generating detailed findings and recommendations to help organizations identify and remediate security risks within their AWS environment. The NCCoE uses Inspector to scan both Windows and Linux instances with the Inspector agent. |
CA |
Security Assessment and Authorization |
Amazon Inspector supports scanning of Amazon EC2 instances, container images in Amazon ECR, and Lambda functions. |
RA |
Risk Assessment |
Amazon Inspector supports scanning of Amazon EC2 instances, container images in Amazon ECR, and Lambda functions. |
||
SC |
System and Communications Protection |
Amazon Inspector encrypts data at rest and in transit. |
||
SI |
System and Information Integrity |
Amazon Inspector supports scanning of Amazon EC2 instances, container images in Amazon ECR, and Lambda functions. |
||
AWS Security Hub |
AWS Security Hub is a cloud security posture management service that provides a comprehensive view of an organization’s security alerts and compliance status across multiple AWS accounts and services. To security posture against industry-recognized best practices and regulatory requirements, the NCCoE has deployed the AWS Foundational Security Best Practices, Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0, and NIST 800-53 Rev. 5 security standards. Security Hub is also used to centralize findings from Trusted Advisor, Config, GuardDuty, and Detective. |
AU |
Audit and Accountability |
AWS Security Hub provides a comprehensive view of an organization’s security posture across multiple AWS accounts and services. |
CM |
Configuration Management |
AWS Security Hub provides pre-built and customizable security standards, which define desired configuration settings and best practices for AWS resources. AWS Security Hub aggregates and correlates findings from various AWS services, including AWS Config, which monitors and records configuration changes to AWS resources. AWS Security Hub provides a centralized view of AWS resources and their configurations across multiple accounts and services. |
||
SC |
System and Communications Protection |
AWS Security Hub encrypts data at rest and data in transit between component services. |
||
Amazon Security Lake |
Amazon Security Lake is a service that enables organizations to centrally collect, store, and analyze structured and unstructured security data from various sources. The NCCoE has ingests findings from CloudTrail, GuardDuty, VPC Flow Logs, and Security Hub into Security Lake. |
AU |
Audit and Accountability |
Amazon Security Lake supports automatic ingestion and centralization of security data from multiple sources, including AWS services like CloudTrail and GuardDuty, as well as third-party security solutions. |
CM |
Configuration Management |
Amazon Security Lake ingests and centralizes security data from various AWS services, including AWS Config, which captures and monitors baseline configurations for AWS resources. Security Lake data can serve as a point of centralizing security data across accounts and as a repository for further analysis of security events. |
||
SC |
System and Communications Protection |
Amazon Security Lake encrypts data at rest and in transit. |
||
Amazon VPC |
Amazon VPC is a core AWS service that allows organization to define and launch AWS resources in a logically isolated virtual network. The NCCoE has deployed Amazon EC2 instances in their VPCs and uses features such as VPC Flow Logs to log and detect anomalous network traffic. |
IR |
Incident Response |
Amazon VPC supports Traffic Mirroring, which allows customers to capture and inspect network traffic at scale. Customers can extract traffic of interest and gain operational insights to quickly respond to an incident. |
SC |
System and Communications Protection |
Amazon VPC supports the logical separation of customer workloads in separate VPCs. VPCs also include route tables, which customers can use to determine where traffic is routed. VPCs can be associated with Security Groups, which controls the traffic that is allowed to reach and leave the resources of the VPC. Security groups are “deny by default”. VPC flow logs can also be stored and analyzed so that network traffic within the VPC is monitored. VPC also supports custom DHCP option sets that allow users to set customize VPCs with options such as custom DNS and NTP servers. Customers that use specific Nitro-enabled resources in a VPC can also offload encryption in transit to underlying Nitro System hardware. |
||
AWS CloudFormation |
AWS CloudFormation is an Infrastructure as Code service that allows organizations to declaratively model and deploy AWS services. The NCCoE uses CloudFormation templates to manage and deploy their logging infrastructure. |
CM |
Configuration Management |
AWS CloudFormation supports the declarative creation of AWS resources via Infrastructure as Code (IaC). Customers can use CloudFormation to define a repeatable, deployable inventory of AWS infrastructure. |
CP |
Contingency Planning |
AWS CloudFormation templates can be used to provision and configure AWS resources in alternate sites or regions, reducing the time and effort required to restore systems and services. |
||
SC |
System and Communications Protection |
AWS CloudFormation encrypts data at rest and in transit. |
||
AWS Config |
AWS Config is a service that enables organizations to assess, audit, and evaluate the configurations of your AWS resources for compliance with internal practices, industry standards, and regulations. |
AC |
Access Control |
Amazon Config monitors and records AWS resource configurations including those related to AWS IAM. |
AU |
Audit and Accountability |
AWS Config supports monitoring and recording of resource configurations, allowing organizations to assess their compliance with security best practices and internal policies. |
||
CA |
Security Assessment and Authorization |
AWS Config supports evaluating AWS resources against rules in a proactive or detective manner |
||
CM |
Configuration Management |
WS Config provides pre-built and customizable AWS Config rules, which define desired configuration settings for AWS resources. AWS Config can be used to monitor and enforce configurations of supported AWS resources. |
||
SC |
System and Communications Protection |
AWS Config encrypts data at rest and in transit. |
||
Amazon Simple Notification Service |
Amazon Simple Notification Service (SNS) is a fully managed messaging service that enables organizations to decouple microservices, distributed systems, and serverless applications by sending push notifications to various endpoints such as AWS Lambda functions, HTTP/S webhooks, email, SMS, and mobile push notifications. |
SC |
System and Communications Protection |
Amazon SNS encrypts data at rest. Data sent to and from SNS can be encrypted in transit using TLS. |
SI |
System and Information Integrity |
Amazon SNS integrates with many AWS services to send notifications/alerts based on thresholds. |
||
AWS Lambda |
AWS Lambda is a serverless computing service that allows customers to run code without provisioning or managing servers, automatically scaling and charging only for the compute time consumed. |
AC |
Access Control |
AWS Lambda supports the ability to automatically detect and take action on stale accounts |
SC |
System and Communications Protection |
AWS Lambda encrypts data at rest. Encryption in transit is a shared responsibility. |
||
AWS Control Tower |
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. |
AC |
Access Control |
AWS Control tower supports the use of automated account created via the Account Factory feature. |
CM |
Configuration Management |
AWS Control Tower supports the use of landing zones which are a multi-account environment based on security and compliance best practices. AWS Control Tower supports the use of controls or guardrails for high-level governance of AWS accounts. AWS Control tower supports the use of an Account Factory, which standardizes provisioning of AWS accounts. |
||
SC |
System and Communications Protection |
AWS Control Tower encrypts data at rest and in transit. |
||
AWS Shield |
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS against network and transport layer attacks. |
SC |
System and Communications Protection |
AWS Shield provides DDoS detection and mitigation benefits for all applications running on AWS. Shield Standard protects against network volumetric (layer 3) and protocol (layer 4) attacks. |