Quest: AWS Incident Response Day

About this Guide

This quest is the guide for an AWS led event including incident response day. Using an AWS supplied, or your own AWS account, you will learn through hands-on labs in the AWS Well-Architected area of Incident Response. The skills you learn will help you secure your workloads in alignment with the AWS Well-Architected Framework.


  • An AWS account that you are able to use for testing, that is not used for production or other purposes. NOTE: You will be billed for any applicable AWS resources used if you complete this lab that are not covered in the AWS Free Tier.

Lab 1 - Automated Deployment of Detective Controls

This hands-on lab will guide you through how to use AWS CloudFormation to automatically configure detective controls including AWS CloudTrail, AWS Config, and Amazon GuardDuty. You will use the AWS Management Console and AWS CloudFormation to guide you through how to automate the configuration of each service.

Start now!

Lab 2 - Protecting workloads on AWS from the instance to the edge

In this workshop, you will build an environment consisting of two Amazon Linux web servers behind an application load balancer. The web servers will be running a PHP web site that contains several vulnerabilities. You will then use AWS Web Application Firewall (WAF), Amazon Inspector and AWS Systems Manager to identify the vulnerabilities and remediate them.

Start now!

Lab 3 - Incident Response with AWS Console and CLI

This hands-on lab will guide you through a number of examples of how you could use the AWS Console and Command Line Interface (CLI) for responding to a security incident. It is a best practice to be prepared for an incident, and have appropriate detective controls enabled.

Start now!

Lab 4 - Getting Hands on with Amazon GuardDuty

Walks you through a scenario covering threat detection and automated remediation using Amazon GuardDuty; a managed threat detection service. The scenario simulates an attack that spans a few threat vectors, representing just a small sample of the threats that GuardDuty is able to detect.

Start now!

Lab 5 - Open Source AWS Memory Forensics

This lab consists of using an open source python module for orchestrating memory acquisitions and analysis using AWS Systems Manager. It analyzes the memory dump using Rekall with the most common plugins: psaux, pstree, netstat, ifconfig, pidhashtable.

Start now!

Further Learning

AWS Security Incident Response Guide

Find further information on the AWS website around AWS Cloud Security and in particular what your responsibilities are under the shared security model


  • Ben Potter, Security Lead, Well-Architected