AWS Incident Response

Nov 18, 2020

Guard Duty: (Region Specific)

Threat Intelligence Service which monitors cloustrail logs, VPC flow logs and DNS logs.

GuardDuty will only monitor Route 53 of DNS Logs, Active Directory DNS or other DNS Logs are not monitored

Alert Whitelist: Trusted IP List, Archive alerts after fixing, Suppress by Finding Type like Filters

FInding types: EC2, S3, IAM

Master Account(Guard Duty) Invite Member Account to merge findings of member account

Incident Response:








Preparation Phase:

Ensure logging is enabled with help of CloudTrail, VPC flow logs,EC2 instances

Detection Phase:

Cloudwatch Alarms, SNS, GuardDuty

Containment Phase:

Automated AWS CLI scripts

Investigation Phase:

Cloudwatch Logs

AWS Configs

Recovery Phase:

User Prebuilt AMIs for the application to launch fresh new App server.

(a) AWS Credentials Leaked:

Points to remember:

Disabling the credentials should be done and not deleting the credentials

Explicit Deny for IAM users in Json to stop access with Temporary credential access

Watch CloudTrail Logs for review

(b) EC2 compromised:

Allowed Services for Penetration Testing without pre approval:

  1. EC2,NAT Gateways, ELB
  2. RDS
  3. CloudFront
  4. Aurora
  5. API GAteways
  6. Lamda and Lamda Edge Functions
  7. LightSail Resouces
  8. Elastic Beanstalk

Not supported EC2:

T3/T2 Nano

T1 Micro

M1 small

Shared Responsibility Model




Just writing the Life Experiences..