Skip to content

AWS IR

General Guides

Link Notes
AWS AWS Security Incident Response Guide An overview of the fundamentals of responding to security incidents within an AWS environment
AWS Digital Forensics Automation at Goldman Sachs Goldman Sachs has automated an event-driven cloud response solution that uses AWS native services to successfully collect disk and memory evidence from Amazon EC2 instances
How to be IR Prepared in AWS This blog aims to demystify AWS' sometimes complicated logging methods to help organizations prepare for when a security incident occurs, outlining which logs should be enabled for the purpose of incident investigations

How To: Build

Link Notes
AWS How to perform automated incident response in a multi-account environment This scenario incorporates GuardDuty alerts, Config findings, Systems Manager automation runbooks, SNS notifications and centralized reporting in SecurityHub
AWS How to automate forensic disk collection in AWS A hands-on solution you can use for automated disk collection across multiple AWS accounts
AWS How to automate incident response in the AWS Cloud for EC2 instances Solution presenting a pre-provisioned architecture for an incident response system that you can use to respond to a suspect EC2 instance
AWS Automated Forensics Orchestrator for Amazon EC2 Self-service solution to capture and examine data from EC2 instances and attached volumes for forensic analysis in the event of a potential security breach
AWS How to automatically build forensic kernel modules for Amazon Linux EC2 instances Post walking through he EC2 forensic module factory solution to deploy automation to build forensic kernel modules that are required for EC2 incident response automation
AWS How to automate incident response to security events with AWS Systems Manager Incident Manager How to use Incident Manager, a capability of AWS Systems Manager, to build an effective automated incident management and response solution to security events
Guardians of the Cloud: Automating the Response to Security Events Auth0 describes how they use security automation to respond to GuardDuty events at scale

How To: Investigate

Link Notes
magoo Investigating CloudTrail Logs An incident response reference to understand an AWS breach through your CloudTrail logs
magoo Responding to typical breaches on AWS
AWS Forensic investigation environment strategies in the AWS Cloud"
  • Strategies that you can use to prepare your organization to respond to secure baseline deviations
  • These strategies take the form of best practices around AWS account structure, OUs and SCPs, forensic VPC and network infrastructure, evidence artifacts to be collected, AWS services to be used, forensic analysis tool infrastructure, and user access and authorization to the above
"
AWS AWS Incident Response Playbook Samples Steps based on the NIST Computer Security Incident Handling Guide that can be used to: gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities, including post-mortem and feedback processes
Incident Response in AWS Post intended to help those already familiar with the principles of Incident Response to understand what to do when the incident involves the AWS Control Plane
Responding to typical breaches on AWS
Investigating CloudTrail Logs
Partitioning CloudTrail Logs in Athena
AWS Cloud Incident Analysis Query Cheatsheet A cheatsheet for analyzing AWS cloud incidents using CloudTrail with AWS Athena
Actionable threat hunting in AWS The focus is on the Preparation & Identification aspects of the SANS Incident Response framework

Investigations

Link Notes
Learning from AWS (Customer) Security Incidents Really interesting run through of real life security breaches that have happened to the AWS environments of customers
Exploring an AWS account post-compromise Time to look around and understand what you have.
Responding to an attack in AWS Post walking through the initial steps of an investigation following an incident in AWS
Detecting Anomalous AWS Sessions From Temporary Credentials Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised
Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident Learn how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident

Tools

Link Notes
matano Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
AWS Incident Response Investigation of API activity using Athena and notification of actions using EventBridge
awskillswitch Lambda function that streamlines containment of an AWS account compromise
grimoire Generate datasets of cloud audit logs for common attacks