CoursesAdvanced cloud securityDetection, logging & response

Cloud incident response & forensics

Isolation, snapshots, credential compromise, and runbooks.

Expert35 min · lesson 12 of 15

Cloud incident response is a race between the attacker and your ability to contain, understand, and evict them — run on infrastructure that is all API calls and short-lived credentials. The winning move is a rehearsed runbook that contains the threat without destroying the evidence you need to understand it.

Contain without destroying evidence

The instinct to terminate a compromised instance is usually wrong: termination wipes memory and can discard the disk, erasing the forensic record. Instead, isolate it — move it to a quarantine security group that blocks all traffic, detach it from load balancers and auto-scaling, revoke its role sessions — then snapshot the disk (and capture memory if you can) before any destructive action. You contain the blast radius while preserving what happened.

isolate and preserve, in order
# 1. Quarantine: swap to a security group that allows nothing in or out.
aws ec2 modify-instance-attribute --instance-id i-0abc --groups sg-quarantine
# 2. Detach from serving so it stops taking traffic.
aws autoscaling detach-instances --instance-ids i-0abc \
--auto-scaling-group-name web-asg --should-decrement-desired-capacity
# 3. Revoke the workload's credentials everywhere (invalidate active sessions).
aws iam put-role-policy --role-name app-role --policy-name kill \
--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"DateLessThan":{"aws:TokenIssueTime":"2026-01-01T00:00:00Z"}}}]}'
# 4. THEN preserve evidence — snapshot the disk before anything destructive.
aws ec2 create-snapshot --volume-id vol-0abc --description "IR-8891 evidence"

The credential-compromise runbook

For a leaked key or token the sequence is: disable/revoke the credential and invalidate active sessions; reconstruct everything it did from the audit trail; then hunt for persistence, because a competent attacker plants a second way in. Look for new IAM users or access keys, altered trust policies, new roles, resources spun up in unusual regions, and disabled logging. Rotate what was exposed, remove the persistence, and only then restore. Rehearse this as a drill so the first time you run it is not during a real incident.

Cloud IR phases
stop the bleeding
contain
quarantine, detach, revoke sessions
preserve
snapshot disk/memory before destroying
understand
investigate
reconstruct activity from the trail
hunt persistence
new users, keys, trust, regions
restore
eradicate + rotate
remove footholds, rotate secrets
recover
rebuild clean, then reconnect
Contain first, preserve second, understand third. Skipping persistence-hunting is how attackers walk back in an hour later.
Terminating first destroys the investigation
Killing a compromised instance feels decisive but discards volatile memory and, often, the disk — the very evidence that tells you what was taken and whether they still have access. Isolate and snapshot before you destroy; a contained instance is harmless and a preserved one is answerable.