MITRE ATT&CK, D3FEND, and Engage provide structured models for understanding, defending against, and actively engaging with threat actors in cloud environments
Combining these frameworks supports a full security operations lifecycle—threat modeling, detection, response, and post-incident analysis
MITRE ATT&CK maps threat actor tactics, techniques, and procedures (TTPs), aiding AWS customers in risk assessment and detection
MITRE D3FEND aligns defensive measures (like least privilege and system hardening) directly with ATT&CK-identified threats
MITRE Engage enables deception strategies, such as honeypots and honey tokens, to expose and mislead attackers
AWS services like Inspector, Macie, and Security Lake align with MITRE frameworks for vulnerability scanning, sensitive data discovery, and log analytics
AWS IAM and Organizations enforce least privilege, while WAF and Secrets Manager support application-layer defense and honey token deployment
Security Hub, GuardDuty, and Detective centralize alerts, detect anomalies, and support forensic investigations, mapping findings to MITRE ATT&CK
AWS Step Functions, Lambda, and the Security Incident Response service automate containment, recovery, and response workflows
DDoS and Application Protection: AWS Shield and WAF provide real-time mitigation against DDoS and application-layer attacks
AWS supports deception (e.g., fake S3 files, honeypots) and post-event forensics with Security Lake and Detective, informed by MITRE Engage