AWS Forensics & Incident Response Training

4 min readApr 10, 2023

Welcome to the next free cloud forensics and incident response training video! This time the topic is on other training available for AWS forensics and incident response:

We’ve built a platform to perform incident response and forensics in AWS/Azure/GCP — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

AWS Incident Response Playbooks

Unauthorized IAM Credential Use — Simulation and Detection

During this workshop, you will simulate the unauthorized use of IAM credentials using a script invoked within AWS CloudShell. The script will perform reconnaissance and privilege escalation activities that have been commonly seen by the AWS CIRT (Customer Incident Response Team) and are typically performed during similar events of this nature. You will then be introduced to some of the tools and processes that the AWS CIRT use, and learn how to use these tools to find evidence of unauthorized activity.

Ransomware on S3 — Simulation and Detection

During this workshop, you will use a CloudFormation template to replicate an environment with multiple IAM users and five (5) Amazon S3 buckets. AWS CloudShell will then be used to run a bash script that will simulate data exfiltration and data deletion events that replicate a ransomware based security event. You will then be introduced to some of the tools and processes that the AWS CIRT (Customer Incident Response Team) team use in response to similar events, and learn how to use these tools to find evidence of unauthorized activity.

Cryptominer Based Security Events — Simulation and Detection

During this workshop, you will simulate a cryptomining security event by using a CloudFormation template to initialize five EC2 instances. These five EC2 instances will mimic cryptomining activity by performing DNS requests to known cryptomining domains. You will then be introduced to some of the tools and processes that the AWS CIRT (Customer Incident Response Team) use in response to similar events, and learn how to use these tools to find evidence of unauthorized activity.

SSRF on IMDSv1 — Simulation and Detection

During this workshop, you will simulate the unauthorized use of a web application that is hosted on an AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service Version 1) and is vulnerable to SSRF (Server Side Request Forgery). You will then walk through some of the detection activities that the AWS CIRT (Customer Incident Response Team) perform when responding to security events of this nature.

AWS CIRT Toolkit For Incident Response Preparedness

During this workshop, you will install and experiment with some common tools and utilities that the AWS CIRT (Customer Incident Response Team) use on a daily basis. The AWS CIRT uses these tools to detect security misconfigurations, respond to active events, and assist customers with protecting their infrastructure.

(Mostly Athena…)

Threat Detection and Response with Amazon GuardDuty and Amazon Detective