Configuration of monitoring services (for example, Security Hub)
Attributes of logging capabilities (for example, log levels, type, verbosity)
Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock)
Designing encryption at rest by using AWS CloudHSM for relational databases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
AWS services and features that provide logging capabilities (for example, VPC Flow Logs, DNS logs, CloudTrail, CloudWatch Logs)
Establishing schedules and retention for AWS Backup across AWS services
Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)
Investigating unintended permissions, authorization, or privileges granted to a resource, service, or entity
How to analyze reachability (for example, by using VPC Reachability Analyzer and Amazon Inspector)
Access permissions that are necessary for logging
Visibility and control over AWS infrastructure
Creating AWS Config rules for detection of noncompliant AWS resources
Anomaly and correlation techniques to join data across services
Capturing relevant forensics data from a compromised resource (for example, Amazon Elastic Block Store [Amazon EBS] volume snapshots, memory dump)
Requiring TLS for AWS API calls (for example, with Amazon S3)
Data classification by using AWS services