L15. AWS Incident Response Framework & Playbooks
Video generating
Check back soon for the video lesson on AWS Incident Response Framework & Playbooks
The NIST-aligned IR lifecycle applied to AWS: pre-provisioned break-glass access, isolate-don't-terminate containment for compromised instances, and AWS Detective for root-cause analysis.
The NIST-Aligned Lifecycle
AWS incident response guidance mirrors the NIST incident response lifecycle: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. The exam tests this framework less as trivia and more as a way of reasoning about which action is appropriate at which stage. A question describing an active compromise is asking about containment, not preparation, and the two call for very different answers.
Preparation: Build the Response Before You Need It
Preparation happens long before an incident, and it decides how fast and how safely a team can respond once one occurs. Three elements matter most on the exam:
- Pre-provisioned break-glass IAM roles: dedicated roles reserved for incident response, created ahead of time so responders are not requesting new permissions mid-incident, when an attacker may already have visibility into IAM activity.
- A resource tagging strategy: consistent tags let responders quickly identify what an affected resource does and who owns it, cutting the time spent figuring out blast radius during an actual event.
- A dedicated forensics account: a tightly access-controlled account, separate from production, purpose-built to receive evidence.
Containment: Isolate, Don't Terminate
The most exam-relevant containment rule concerns a suspected compromised EC2 instance: do not terminate it immediately. Termination destroys volatile evidence, including memory contents, that could reveal how the attacker got in and what they did. The correct first move is to swap the instance's security group to an isolated quarantine security group with no inbound or outbound rules. This cuts off the instance's ability to communicate with an attacker's infrastructure or move laterally, while leaving the instance itself running and intact for forensic capture, such as an EBS snapshot and, where possible, a memory capture.
| Action | Effect on Evidence |
|---|---|
| Terminate immediately | Destroys memory and ephemeral state, evidence lost |
| Reboot | Clears memory contents, evidence lost |
| Isolate via quarantine security group | Stops communication, preserves the instance for capture |
AWS Detective for Root-Cause Analysis
Once an incident is contained, responders still need to understand scope and root cause, and manually correlating raw CloudTrail, VPC Flow Log, and GuardDuty data across dozens of API calls is slow. AWS Detective ingests GuardDuty findings, CloudTrail logs, and VPC Flow Logs and builds a visual graph of relationships between resources, IP addresses, and API calls. An analyst can pivot from a single finding to every resource and principal it touched, which speeds up determining the full scope of a compromise far beyond what manual log correlation allows.
Forensics Accounts Keep Evidence Clean
A dedicated forensics account, separate from production and tightly scoped in who can access it, is where evidence such as EBS snapshots, memory dumps, and exported logs gets copied for analysis. Isolating this work avoids contaminating production environments during an active investigation and avoids granting broad forensic access to anyone who does not strictly need it, which matters both for chain of custody and for limiting risk if the investigation itself is being watched by the attacker. Exam tip: Whenever a question describes a live compromised resource, the answer that terminates or reboots it first is almost always wrong. Isolate and preserve, then investigate.
- ✓AWS incident response follows the NIST lifecycle: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity
- ✓Preparation includes pre-provisioned break-glass IAM roles, a consistent resource tagging strategy, and a dedicated forensics account with tightly controlled access
- ✓The correct first containment step for a suspected compromised EC2 instance is isolation (swap to a locked-down quarantine security group), not termination, which would destroy evidence
- ✓Before remediating a compromised instance, capture an EBS snapshot (and memory if possible) to preserve forensic evidence
- ✓AWS Detective visualizes relationships across GuardDuty findings, CloudTrail, and VPC Flow Logs, speeding up root-cause and scope analysis compared to manually correlating raw logs
1. GuardDuty flags an EC2 instance as likely compromised and communicating with a command-and-control server. What should be the first containment action?
2. What is the primary purpose of a dedicated forensics account in an AWS incident response program?
3. An analyst is trying to understand how a compromised IAM credential was used across dozens of API calls and multiple resources. Which service is purpose-built to visualize these relationships?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.