Introduction:
This is an overview of the Data Protection Policy & Incident Response Plan that EmberTribe has implemented for application security, to protect customer data, and to work in partnership with our cloud service provider, AWS.
Personnel:
Project Manager: Josh Sturgeon josh@embertribe.com
Incident Responsibilities: Primary AWS point of contact
AWS Development Lead: Dustin Anderson dustin@bod3.com
Incident Responsibilities: Developer of AWS application code, main point of contact for code
Incident types:
(EmberTribe is not aware of any security incidents with this application as of the time of this writing)
Incident Domains: Service Domain (e.g. IAM Permissions), Infrastructure Domain, Application Domain
All software for this application is hosted on AWS. The AWS services used for this application include:
-AWS CloudFront (security is set to only ONLY allow access from the US)
-AWS Lambda
-AWS Step Function
-AWS Athena
-AWS S3
-AWS Amplify Framework
Here are some possible incidents:
-Unauthorized login (this would be if a user was able to find our site, and create an account)
-Unauthorized download of consumer or seller data from Amplify Application or from an S3 bucket whose security has been breached.
How incidents will be maintained:
Due to the relatively low usage requirements of the application, we can go so far as to shut down user login to the application in case of emergency while remediation of the incident is being done.
One way to stop an offending user would be to click the Revoke active session button for the logged in user under the AWS IAM console panel for the IAM Role that is used to access the site:
arn:aws:iam::032313868221:role/react-aws-embertribe-mwsdeploy-20190728152328-authRole
How Incidents are investigated:
Should an incident arise, where unknown/novel cause was in play, the reporter of the incident should first contact the Project Manager, Josh Sturgeon. EmberTribe will then decide how to handle the incident. The next step would be for the AWS Development Lead, Dustin Anderson, to handle the technical investigation of the incident without releasing PII and should it be necessary, contacting Amazon in accordance with the Amazon contact guidelines below.
The basic investigation process is as follows, to identify incidents:
-Review CloudWatch Logs
-Review status of Step Function(s) currently running
-Review Espagon’s automated reporting dashboard
Developers must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon on request (if applicable).
Notes:
Developers must review and verify this Incident Response Plan every six (6) months and after any major infrastructure or system change. Developers must investigate each Security Incident, and document the incident description, remediation actions, and associated corrective process/system controls implemented to prevent future recurrence (if applicable). Developers must maintain the chain of custody for all evidences or records collected, and such documentation must be made available to Amazon on request (if applicable).
How Amazon will be contacted / escalation of issues to Amazon:
Developers must inform Amazon (via email to security@amazon.com) within 24 hours of detecting any Security Incidents. Developers cannot notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that the Developer do so. Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case Amazon reserves the right to review the form and content of any notification before it is provided to any party. Developers must inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.
Incident Log:
(Should an incident occur, record a summary of the incident here)
Example:
Incident Description: Security Breach
Remediation Actions: Investigate CloudWatch logs, become aware of vectors of attack
Associated corrective process/system controls implemented to prevent future recurrence (if applicable): Increased level of security on S3 buckets, added Amazon Macie
