Level 300: Incident Response with AWS Console and CLI

Authors

• Ben Potter, Security Lead, Well-Architected

Introduction

This hands-on lab will guide you through a number of examples of how you could use the AWS Console and Command Line Interface (CLI) for responding to a security incident. It is a best practice to be prepared for an incident, and have appropriate detective controls enabled. You can find more best practices by reading the Security Pillar of the AWS Well-Architected Framework.

The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.

Goals

• Identify tooling for incident response
• Automate containment for incident response
• Pre-deploy tools for incident response

Prerequisites

• An AWS account that you are able to use for testing, that is not used for production or other purposes.
• An IAM user or role in your AWS account. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.
• CloudTrail must already be enabled in your account and logging to CloudWatch Logs, follow the Automated Deployment of Detective Controls lab to enable.

Steps:

• Getting Started
• Identity & Access Management
• Amazon VPC