5 Tactical Tips For Security Teams Using AWS

Security teams face new and unique challenges as they move their workloads to AWS. Legacy SIEM solutions were not built for the cloud, and as a result, they are often unable to keep up with the speed and scale of AWS. This can leave your organization vulnerable to attack. You must adopt the right tactics and strategies to stay ahead of the curve.

In Panther’s latest report, State of AWS Log Management, the company surveyed 250 security professionals who actively use AWS and condensed the results into five tactical tips that will help any security team operationalize the vast amounts of data produced by AWS logs.

Tip One: Focus on the Basics First

Define your top logging requirements and get to 80% perfection with those log sources before moving to others. It’s better to ingest and alert on a small set of logs efficiently and effectively than to ingest and alert a firehose of logs poorly.

In any logging system, it is essential to be able to ingest logs quickly and efficiently. However, it is also important to be able to process and create alerts on those logs in an effective manner. If a large volume of records is ingested but not processed effectively, it can lead to missed alerts and delays in identifying issues. On the other hand, if a smaller set of logs is ingested but processed quickly and efficiently, it can help to prevent problems before they occur. Doing so can help ensure that you identify and resolve issues promptly.

Tip Two: It’s not Magic

Don’t think of your SIEM as a magical tool that does most of your thinking for you. Operating a SIEM is hard work, and it never ends. Changes in your environment and changes in external threats mean that the only constant thing is change.

SIEMs have become an essential tool for security teams, but they are not a magic bullet. SIEMs provide a central place to collect and analyze data from multiple sources, giving security teams visibility into potential threats. However, SIEMs only work if they are correctly configured and kept up-to-date. Hard work and staying on top of changes in your environment and external threats will make your SIEM an effective tool.

Tip Three: Segment Functions Into More AWS Accounts

You can isolate and protect your resources from unauthorized access by creating separate AWS accounts for each environment (development, test, production, etc.). The proper use of multiple AWS accounts can limit the scope of impact from adverse events. Furthermore, using IAM roles and policies allows you to control which users have access to which resources, adding another layer of security. Finally, the AWS account logical boundary provides visibility into activity across your AWS environment, making detecting and responding to potential threats easier. As a result, the AWS account logical boundary is an essential part of securing your AWS environment.

Tip Four: Reduce the Noise of Your Security Alerts

Noisy alerts are either masking important signals or not alerting on the correct data elements at all. With so much data generated in the cloud, it can be challenging to sort through everything and identify the truly critical alerts. By taking the time to de-noise your data, you can ensure that you are only alerted to relevant security issues.

The first step in reducing noise in your security log data is understanding the different types of data you are collecting. For example, system logs can contain a wealth of information about user activity, but they can also include a lot of useless data. By understanding the data types, you can start filtering out the noise. For instance, you may want to only collect data from certain types of devices or only collect data that includes specific keywords.

Once you understand your data well, you can reduce the noise by implementing various filters. By doing this, you can ensure that the alerts you receive will be relevant to your environment and that you won’t be bombarded with useless information.

Tip Five: Queries Shouldn’t Take Days

Legacy SIEM solutions often struggle with performance in the cloud. This can lead to long wait times for query results.

AWS provides a robust set of tools for monitoring your cloud-based resources. However, sifting through the log data generated by these services can be a daunting task. Fortunately, there are several ways to make log queries simpler and faster. One way is to use Amazon Athena, which allows you to query log data using standard SQL. Another way is to use Amazon Elasticsearch, which provides a more flexible way to search and visualize log data. Finally, you can use a vendors built-in policies for continuous monitoring or write your own detections to fit your internal business use cases. By taking advantage of these AWS services, you can quickly and easily find the information you need to optimize your cloud-based applications.


Legacy SIEM solutions are no longer up to the task of protecting your cloud environment. You need a platform built for the cloud to stay ahead of threats. Implementing these five tactical tips will help your security team to be more effective in AWS.

By taking advantage of the wealth of data produced by your logs, you can make better-informed decisions about how to protect your systems and networks. The tips highlighted in this article are just a few examples of using your AWS data to improve your organization’s security posture.

Avatar photo

Jack Naglieri

Jack Naglieri is a professional with a passion for information security, cloud infrastructure, and security software. His exposure to information security began as an incident responder for Verisign. After graduation from George Mason University, he moved to the San Francisco Bay area and spent two years at Yahoo as an incident responder. He later transitioned into a security engineering role, with the challenge of deploying security monitoring tools at a massive scale. In 2016, he joined Airbnb, and open sourced a framework that enables real-time data analysis and alerting at scale called StreamAlert. He then managed a team of engineers further developing detection and response infrastructure at Airbnb. Now, he has formed his venture-backed startup, Panther Labs, to help companies detect and prevent security breaches in the cloud-first world.

jack-naglieri has 4 posts and counting.See all posts by jack-naglieri