Information Security Incident Response engineers may request

To investigate your incident effectively, AWS Security Incident Response engineers may ask you to provide:

Timeline details - When you first detected the incident and any relevant events leading up to it
Affected resources - Specific AWS account IDs, services, regions, and resource ARNs involved
Access information - Details about who has access to affected resources and any recent access changes
Business context - How the affected resources are used and the potential business impact
Logs and evidence - Additional logs, screenshots, or artifacts that may help the investigation
Authorization - Approval to perform specific containment or remediation actions on your behalf

Your Security Incident Response engineer will explain why each piece of information is needed and how it helps the investigation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Investigation workflow

Communication best practices