Incident Response & Forensics in AWS
Difficulty: hard
Overview
AWS incident response follows the NIST framework: Prepare → Detect → Contain → Eradicate → Recover → Post-Incident.
EC2 Instance Compromise Response:
- Snapshot & preserve: Create EBS snapshot and AMI before any changes
- Isolate: Attach a "quarantine" security group (deny all inbound/outbound)
- Investigate: Analyze EBS snapshot on a forensics instance in an isolated VPC
- Revoke: If instance profile credentials are compromised, attach deny-all policy to the role
- Terminate: Only after forensics are complete
Never SSH with the original key pair during forensics — use SSM Session Manager for agentless access without opening port 22.
IAM Credential Compromise Response:
- Immediately deactivate the compromised access key (do NOT delete yet — needed for audit)
- Create new access key
- Review CloudTrail for all API calls made with the compromised key (check ALL regions)
- Identify and remediate unauthorized resources created
- Revoke active role sessions if a role was assumed
Automated Incident Response Pattern:
- GuardDuty finding → EventBridge rule (match finding severity/type) → Lambda → auto-remediate
- Example: GuardDuty detects port scan → Lambda adds attacker IP to WAF IP set
- Example: GuardDuty detects credential exfiltration → Lambda attaches deny policy to role
S3 Ransomware Response:
- Enablement (proactive): S3 Versioning + MFA Delete + Object Lock
- Detection: GuardDuty S3 findings, CloudTrail S3 data events
- Recovery: Restore from previous versions; Object Lock prevents deletion in advance
Forensic Snapshot Workflow:
- Create EBS snapshot of all volumes (root + data)
- Share snapshot (if needed) to forensic account
- Create volume from snapshot in isolated VPC
- Attach to forensics instance (read-only mount recommended)
- Analyze with memory forensics tools, file system analysis
Key Automation Services:
- SSM Automation: Pre-built runbooks for IR (e.g., isolate EC2, revoke credentials)
- EventBridge + Lambda: Custom automated response workflows
- AWS Step Functions: Complex multi-step IR workflows with error handling
Practice Linked Questions
Q1. A security team needs to investigate a potentially compromised EC2 instance without SSH access and without opening inbound port 22. Which AWS service enables secure remote access for investigation?
Select one answer before revealing.
Q2. During incident response, a security team finds a potentially compromised EC2 instance. What should be the FIRST action to preserve forensic evidence before containing the threat?
Select one answer before revealing.
Q3. An IAM user's access keys were accidentally committed to a public GitHub repository and detected within 10 minutes. What is the CORRECT response sequence?
Select one answer before revealing.
Q4. A company wants to automatically ISOLATE an EC2 instance when GuardDuty generates a HIGH-severity finding. What is the MOST efficient automated approach?
Select one answer before revealing.
Q5. GuardDuty detects high-volume unusual DELETE operations on an S3 bucket, suggesting a ransomware attack. Which AWS feature, if enabled BEFORE the attack, would allow recovery of the deleted objects?
Select one answer before revealing.
Q6. When responding to a confirmed AWS account compromise, which of the following are RECOMMENDED immediate actions? (More than one answer may be correct — Select THREE.)
Select one answer before revealing.
Q7. A company discovers an EC2 instance in a public subnet was compromised and used to scan internal resources. The security team needs to ISOLATE the instance for forensics without losing any evidence. Which TWO actions should be taken IMMEDIATELY in the correct order? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.