Conjured up a presentation for the November AWS Sacramento meetup on the native tooling and infrastructure available for incident response in AWS. The presentation was not recorded, but I’ve included the slides at the bottom of this post. Essentially, I show the possibilities of incident response infrastructure from absolutely nothing all the way to automating large parts of analysis and containment. When it comes to my recommendation for organizations that don’t have a dedicated security team, I emphasize the minimal implementation of GuardDuty and SNS as a way of getting some sense of what’s happening.
I’ve created a Github repository with a CDK implementation of the various architectures: rjulian/aws-incident-response-bootstrap.