Cloud incident response & forensics
Isolation, snapshots, credential compromise, and runbooks.
Cloud incident response is a race between the attacker and your ability to contain, understand, and evict them — run on infrastructure that is all API calls and short-lived credentials. The winning move is a rehearsed runbook that contains the threat without destroying the evidence you need to understand it.
Contain without destroying evidence
The instinct to terminate a compromised instance is usually wrong: termination wipes memory and can discard the disk, erasing the forensic record. Instead, isolate it — move it to a quarantine security group that blocks all traffic, detach it from load balancers and auto-scaling, revoke its role sessions — then snapshot the disk (and capture memory if you can) before any destructive action. You contain the blast radius while preserving what happened.
# 1. Quarantine: swap to a security group that allows nothing in or out.aws ec2 modify-instance-attribute --instance-id i-0abc --groups sg-quarantine# 2. Detach from serving so it stops taking traffic.aws autoscaling detach-instances --instance-ids i-0abc \--auto-scaling-group-name web-asg --should-decrement-desired-capacity# 3. Revoke the workload's credentials everywhere (invalidate active sessions).aws iam put-role-policy --role-name app-role --policy-name kill \--policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*","Condition":{"DateLessThan":{"aws:TokenIssueTime":"2026-01-01T00:00:00Z"}}}]}'# 4. THEN preserve evidence — snapshot the disk before anything destructive.aws ec2 create-snapshot --volume-id vol-0abc --description "IR-8891 evidence"
The credential-compromise runbook
For a leaked key or token the sequence is: disable/revoke the credential and invalidate active sessions; reconstruct everything it did from the audit trail; then hunt for persistence, because a competent attacker plants a second way in. Look for new IAM users or access keys, altered trust policies, new roles, resources spun up in unusual regions, and disabled logging. Rotate what was exposed, remove the persistence, and only then restore. Rehearse this as a drill so the first time you run it is not during a real incident.