IR Phases on AWS
- Preparation: runbooks, automation, IAM break-glass roles
- Detection: GuardDuty, Security Hub, CloudWatch alarms, custom rules
- Containment: isolate (SG change), disable credentials, revoke sessions
- Eradication: remove malware, patch vulnerabilities, rotate keys
- Recovery: restore from clean backups, verify integrity
- Post-incident: lessons learned, update runbooks and controls
Containment Strategies
- EC2: change security group to isolation SG (deny all egress except forensics)
- IAM: attach deny-all policy, deactivate access keys, invalidate sessions
- S3: change bucket policy to deny all, enable Object Lock
- Network: NACL deny rules for immediate blocking
Evidence Collection
- EBS: create snapshot (preserves disk state at point in time)
- Memory: use SSM Run Command to capture memory dump before termination
- Network: enable VPC Flow Logs if not already (retroactive not possible)
- Logs: preserve CloudTrail, VPC Flow Logs, DNS logs in immutable S3
Automation Patterns
- GuardDuty finding → EventBridge → Step Functions → multi-step IR
- Auto-isolate: Lambda changes SG, snapshots instance, notifies team
- Auto-revoke: detect unused IAM keys → Lambda disables after X days
- Auto-quarantine: S3 object triggers Lambda → malware scan → quarantine bucket
Practice Incident Response Questions
Put your knowledge to the test with practice questions.