Foundation of Incident Response - AWS Security Incident Response Guide

Foundation of Incident Response

All AWS users within an organization should have a basic understanding of security incident response processes, and security staff must deeply understand how to react to security issues. Experience and education are vital to a cloud incident response program, before you handle a security event. The foundation of a successful incident response program in the cloud is to Educate, Prepare, Simulate, and Iterate.

To understand each of these aspects, consider the following descriptions:

  • Educate your security operations and incident response staff about cloud technologies and how your organization intends to use them.

  • Prepare your incident response team to detect and respond to incidents in the cloud by enabling detective capabilities, and ensuring appropriate access to the necessary tools and cloud services. Additionally, prepare the necessary runbooks, both manual and automated, to ensure reliable and consistent responses. Work with other teams to establish expected baseline operations, and use that knowledge to identify deviations from those normal operations.

  • Simulate both expected and unexpected security events within your cloud environment to understand the effectiveness of your preparation.

  • Iterate on the outcome of your simulation to improve the scale of your response posture, reduce time to value, and further reduce risk.