Appendix C: Example Runbook - AWS Security Incident Response Guide

Appendix C: Example Runbook

This following example runbook represents a single entry of a larger runbook. This runbook is unofficial and provided only as an example. As you craft your runbooks, each of your scenarios may evolve into larger items that have different beginnings and indicators of compromise, but all have similar outcomes or actions that need to be taken. Realizing this change can also open up other situations to better or more insightful responses.

Incident Response Runbook – Root Usage


The objective of this runbook is to provide specific guidance on how to manage Root AWS account usage. This runbook is not a substitute for an in-depth Incident Response strategy. This runbook focuses on the IR lifecycle:

  • Establish control.

  • Determine impact.

  • Recover as needed.

  • Investigate the root cause.

  • Improve.

The Indicators of Compromise (IOC), initial steps (stop the bleeding), and the detailed CLI commands needed to execute those steps are listed below.


  • CLI configured and installed.

  • Reporting process is already in place.

  • Trusted Advisor is active.

  • Security Hub is active.

Indicators of Compromise

  • Activity that is abnormal for the account.

    • Creation of IAM users.

    • CloudTrail turned off.

    • Cloudwatch turned off.

    • SNS paused.

    • Step Functions paused.

  • Launching of new or unexpected AMIs.

  • Changes to the contacts on the account.

Steps to Remediate – Establish Control

AWS documentation for a possible compromised account calls out the specific tasks listed below. The documentation for a possible compromised account can be found at: What do I do if I notice unauthorized activity in my AWS account?

  1. Contact AWS Support and TAM as soon as possible.

  2. Change and rotate Root password and add an MFA device associated with Root.

  3. Rotate passwords, access/secret keys, and CLI commands relevant to remediation steps.

  4. Review actions taken by the root user.

  5. Open the runbooks for those actions.

  6. Close incident.

  7. Review the incident and understand what happened.

  8. Fix the underlying issues, implement improvements, and update the runbook as needed.

Further Action Items – Determine Impact

Review created items and mutating calls. There are may be items that have been created to allow access in the future. Some things to look at:

  • IAM Cross account roles.

  • IAM Users.

  • S3 buckets.

  • EC2 instances.

  • [Your application and infrastructure will drive this list.]