AWS IR
General Guides¶
| Link | Notes |
|---|---|
| AWS AWS Security Incident Response Guide | An overview of the fundamentals of responding to security incidents within an AWS environment |
| AWS Digital Forensics Automation at Goldman Sachs | Goldman Sachs has automated an event-driven cloud response solution that uses AWS native services to successfully collect disk and memory evidence from Amazon EC2 instances |
| How to be IR Prepared in AWS | This blog aims to demystify AWS' sometimes complicated logging methods to help organizations prepare for when a security incident occurs, outlining which logs should be enabled for the purpose of incident investigations |
How To: Build¶
| Link | Notes |
|---|---|
| AWS How to perform automated incident response in a multi-account environment | This scenario incorporates GuardDuty alerts, Config findings, Systems Manager automation runbooks, SNS notifications and centralized reporting in SecurityHub |
| AWS How to automate forensic disk collection in AWS | A hands-on solution you can use for automated disk collection across multiple AWS accounts |
| AWS How to automate incident response in the AWS Cloud for EC2 instances | Solution presenting a pre-provisioned architecture for an incident response system that you can use to respond to a suspect EC2 instance |
| AWS Automated Forensics Orchestrator for Amazon EC2 | Self-service solution to capture and examine data from EC2 instances and attached volumes for forensic analysis in the event of a potential security breach |
| AWS How to automatically build forensic kernel modules for Amazon Linux EC2 instances | Post walking through he EC2 forensic module factory solution to deploy automation to build forensic kernel modules that are required for EC2 incident response automation |
| AWS How to automate incident response to security events with AWS Systems Manager Incident Manager | How to use Incident Manager, a capability of AWS Systems Manager, to build an effective automated incident management and response solution to security events |
| Guardians of the Cloud: Automating the Response to Security Events | Auth0 describes how they use security automation to respond to GuardDuty events at scale |
How To: Investigate¶
| Link | Notes |
|---|---|
| magoo Investigating CloudTrail Logs | An incident response reference to understand an AWS breach through your CloudTrail logs |
| magoo Responding to typical breaches on AWS | |
| AWS Forensic investigation environment strategies in the AWS Cloud" |
|
| AWS AWS Incident Response Playbook Samples | Steps based on the NIST Computer Security Incident Handling Guide that can be used to: gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities, including post-mortem and feedback processes |
| Incident Response in AWS | Post intended to help those already familiar with the principles of Incident Response to understand what to do when the incident involves the AWS Control Plane |
| Responding to typical breaches on AWS | |
| Investigating CloudTrail Logs | |
| Partitioning CloudTrail Logs in Athena | |
| AWS Cloud Incident Analysis Query Cheatsheet | A cheatsheet for analyzing AWS cloud incidents using CloudTrail with AWS Athena |
| Actionable threat hunting in AWS | The focus is on the Preparation & Identification aspects of the SANS Incident Response framework |
Investigations¶
| Link | Notes |
|---|---|
| Learning from AWS (Customer) Security Incidents | Really interesting run through of real life security breaches that have happened to the AWS environments of customers |
| Exploring an AWS account post-compromise | Time to look around and understand what you have. |
| Responding to an attack in AWS | Post walking through the initial steps of an investigation following an incident in AWS |
| Detecting Anomalous AWS Sessions From Temporary Credentials | Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised |
| Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident | Learn how to detect malicious persistence techniques in AWS, GCP & Azure after potential initial compromise, like with the CircleCI incident |
Tools¶
| Link | Notes |
|---|---|
| matano | Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS |
| AWS Incident Response | Investigation of API activity using Athena and notification of actions using EventBridge |
| awskillswitch | Lambda function that streamlines containment of an AWS account compromise |
| grimoire | Generate datasets of cloud audit logs for common attacks |