AWS cli based incident response playbook


previously we have linux cli based playbook to identify linux attack, like cat /etc/passwd, netstat -anp, in AWS cloud, do we have a cli based incident response playbook? can anyone share the command list for investigating AWS compromise(EC2, IAM,S3) and AWS kubernetes compromise? thanks

asked 2 years ago394 views
2 Answers
answered a year ago

For general AWS Security, I would start here: The AWS whitepaper covers a lot of AWS security, including Detection which would be how to investigate/detect strange behavior.

AWS has a service called GuardDuty that comes with security checks: For pricing information, check

GuardDuty will analyze VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs for suspicious events.

For Incident Response, here's a start: This is another guide that AWS publishes:

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions