Incident Response Playbooks on AWS
When a security incident occurs, the speed and quality of your response determines the impact. Incident response on AWS is different from on-premises IR because you can programmatically isolate resources, capture forensic snapshots, and automate containment in seconds. This course provides the playbooks and automation patterns you need to respond effectively.
What This Course Covers​
IR Lifecycle on AWS​
The incident response lifecycle (Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned) applies to AWS, but the implementation is different. Containment means swapping security groups, not unplugging cables. Forensics means querying CloudTrail and capturing EBS snapshots, not imaging hard drives. This module maps the IR lifecycle to AWS-specific actions and services.
Automated Containment Patterns​
When GuardDuty detects a compromised EC2 instance or IAM credential abuse, EventBridge can trigger Lambda functions that automatically:
- Isolate the instance by replacing its security group with a quarantine group (no ingress, no egress except to a forensics VPC)
- Disable the compromised IAM access key
- Snapshot the instance's EBS volumes before any attacker cleanup
- Notify the security team via SNS
These automated responses buy your team time by containing the threat within seconds of detection.
Forensics with CloudTrail and VPC Flow Logs​
After containment, you need to understand what happened. CloudTrail shows every API call the attacker made. VPC Flow Logs show every network connection. This module covers querying both data sources with Athena, building timelines, and identifying the scope of compromise.
Runbook Templates for Common Incidents​
Each incident type requires a specific response. This course includes step-by-step runbooks for:
- Compromised IAM credentials: Key rotation, session revocation, impact assessment
- Compromised EC2 instance: Isolation, snapshot, forensic analysis
- S3 data exposure: Access log analysis, scope assessment, notification
- Unauthorized resource creation: Resource termination, cost impact, root cause
Module Outline​
| Module | Topic |
|---|---|
| 1 | IR lifecycle on AWS: mapping traditional IR phases to AWS services and actions |
| 2 | Automated containment: EventBridge + Lambda patterns for instant response |
| 3 | Forensic data collection: EBS snapshots, memory capture, and log preservation |
| 4 | CloudTrail forensics: querying API logs with Athena to build incident timelines |
| 5 | VPC Flow Log analysis: identifying lateral movement and data exfiltration |
| 6 | Runbook templates: step-by-step playbooks for the four most common AWS incident types |
Incident Response Playbooks on AWS
Get the complete 6-module course with automated containment Lambda functions, Athena forensics queries, and step-by-step runbook templates in Terraform, CDK, and CloudFormation.