Incident Response

Question 1

What is AWS Abuse report ?

Answer 1

An email sent from AWS to owner of infrastructure that is though to be abused - 24 Hours to respond

Question 2

Which AWS services do not require advanced permission ?

Answer 2

EC2, Nat Gateways and Elastic Load Balancers
RDS
Cloudfront
Aurora
API Gateways
Lambda and Lambda Edge functions
Lightsail
Elastic Beanstalk

Question 3

What type of penetration testing is prohibited on AWS ?

Answer 3

DNS Zone Walking vis Route 53 hosted zones
DDOS
Port Flooding
Protocol Flooding
Request Flooding

Question 4

What are the steps to take for a compromised EC2 Instance ?

Answer 4

Capture Instances Metadata
Enable Termination Protection
Isolate Instance with closed security group
Detach from ASG
Remove instance form ELB
Snapshot Volume for analysis
Tag instance as infected

Question 5

What are the steps to take for a compromised S3 bucket ?

Answer 5

Identify Resource - via Guardduty
Identify Cause - Detective and or Cloudtrail
Secure - Bucket policy, acls, vpc endpoints etc

Question 6

What are the steps to take for a compromised ECS cluster ?

Answer 6

Identify Resource - via Guardduty
Identify Source
Isolate using SGs that deny all inbound and outbound traffic
Evaluate for malicious activity such as malware

Question 7

What are the steps to take for a compromised standalone container?

Answer 7

Identify Resource - via Guardduty
Isolate - SGs
Suspend all processes within container or stop container and look at EBS snapshots retained by Guardduty
Evaluate presence of malicious activity

Question 8

What are the steps to take for compromised RDS instance ?

Answer 8

Identify instance or user with Guardduty
Restrict access with SG and NACLS
Rotate user password
Review database audit log for leaked data
Secure instance - Secrets Manager to rotate password, IAM DB Authentication to manage DB users access without passwords