Cloud incidents move fast. An attacker with a leaked access key can enumerate the account in minutes and begin exfiltration. Response time matters. This module covers a practitioner-grade cloud IR workflow — what to do in the first 30 minutes, 2 hours, and 24 hours after suspecting compromise.

The cloud-specific challenges

Speed — API-based actions execute in seconds. Exfil via CopyObject / CreateDBSnapshot is fast
Immutability of action — once data is copied out, you can’t undo
Cross-region / cross-account pivoting — attacker may move to low-monitored regions
Credentials vs compute — cloud IR differs from host-level IR (no endpoint to isolate)
Forensic state — attacker may delete CloudTrail, S3 versions, snapshots

First 30 minutes — contain

1. Verify the alert

False positives are common. Check: is the activity actually anomalous? Is the suspect principal legitimate? Before panic, spend 2 minutes confirming.

2. Identify the compromised principal

Is it an IAM user, IAM role, federated user, EC2 instance profile, Lambda execution role? This determines containment action.

3. Rotate credentials / revoke sessions

# IAM User — disable access keys
aws iam update-access-key --access-key-id AKIAXXX --status Inactive --user-name USER

# IAM User — detach all policies
aws iam list-attached-user-policies --user-name USER
aws iam detach-user-policy --user-name USER --policy-arn ARN

# Deny all — attach explicit-deny policy
# Policy: {"Effect":"Deny","Action":"*","Resource":"*"}
aws iam attach-user-policy --user-name USER --policy-arn arn:aws:iam::aws:policy/AWSDenyAll

# Revoke all active sessions of a role (including STS-assumed)
# Apply session policy with explicit deny + revocation
# CLI: use AWS Console → Role → Revoke sessions (sets sts:RevokeOlderSessions policy)

# EC2 instance — isolate via security group
aws ec2 modify-instance-attribute --instance-id i-xxx \
  --groups sg-isolation-empty

4. Preserve evidence

Snapshot affected EC2 volumes (EBS snapshots — immutable copy for forensics)
Don’t terminate instances yet — memory state lost
Copy relevant CloudTrail to isolated S3 bucket (prevent attacker tampering)
Enable VPC Flow Logs if not already (capture network state)

First 2 hours — scope

Analyse CloudTrail

Everything an attacker did via API is logged. Search for:

# All actions by the compromised principal
eventName != null AND userIdentity.arn LIKE '%COMPROMISED_PRINCIPAL%'

# High-impact actions to prioritise
CreateUser, CreateAccessKey, AttachUserPolicy, AttachRolePolicy,
PutUserPolicy, PutRolePolicy (privilege escalation)

CreateRole, AssumeRole (lateral movement)

ModifyDBSnapshotAttribute, ModifySnapshotAttribute, PutBucketAcl,
PutBucketPolicy (data exfil prep)

CopyObject, GetObject at high volume (exfil)

PutObject to new buckets (staging)

DeleteTrail, StopLogging, DeleteDetector (covering tracks)

DescribeInstances, ListBuckets, ListUsers (reconnaissance)

GuardDuty + Detective + Security Hub

AWS Detective automatically builds relationship graphs from CloudTrail. GuardDuty findings typically pinpoint initial detection signals. Security Hub aggregates across accounts. Use all three in parallel.

Check for persistence

New IAM users / access keys created
New IAM roles assumable by external accounts (trust policy changes)
Lambda functions created or modified
EC2 user-data scripts with callbacks
KMS key policies granting external access
RDS / EBS snapshots shared externally
SSM documents / Associations created

First 24 hours — eradicate + recover

Remove attacker persistence (delete created users, revert policy changes)
Rotate ALL credentials that might have been exposed (even if not confirmed used)
Review and remediate all pre-existing IAM roles the attacker could have escalated through
Restore any modified / deleted resources from backups
Verify CloudTrail integrity (log file integrity validation)
Document timeline for post-incident review
Communicate to stakeholders per your IR plan

DPDP notification

If personal data was accessed / exfiltrated / affected — DPDP Section 8(6) breach notification obligations apply. 72-hour notification to Data Protection Board of India required (per draft Rules). See DPDP path Module 4 — Breach Response Tabletop.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 38% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

2 more sections locked below

Module 7 · Cloud Incident Response 🔒