AWS Incident Response

Guard Duty: (Region Specific)

Threat Intelligence Service which monitors cloustrail logs, VPC flow logs and DNS logs.

GuardDuty will only monitor Route 53 of DNS Logs, Active Directory DNS or other DNS Logs are not monitored

Alert Whitelist: Trusted IP List, Archive alerts after fixing, Suppress by Finding Type like Filters

FInding types: EC2, S3, IAM

Master Account(Guard Duty) Invite Member Account to merge findings of member account

Incident Response:








Preparation Phase:

Ensure logging is enabled with help of CloudTrail, VPC flow logs,EC2 instances

Detection Phase:

Cloudwatch Alarms, SNS, GuardDuty

Containment Phase:

Automated AWS CLI scripts

Investigation Phase:

Cloudwatch Logs

AWS Configs

Recovery Phase:

User Prebuilt AMIs for the application to launch fresh new App server.

(a) AWS Credentials Leaked:

Points to remember:

Disabling the credentials should be done and not deleting the credentials

Explicit Deny for IAM users in Json to stop access with Temporary credential access

Watch CloudTrail Logs for review

(b) EC2 compromised:

Allowed Services for Penetration Testing without pre approval:

  1. EC2,NAT Gateways, ELB

Not supported EC2:

T3/T2 Nano

T1 Micro

M1 small

Shared Responsibility Model



Just writing the Life Experiences..

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store