Security Incident Response
Procedures for handling security incidents and compromised credentials
Time-Critical
Security incidents require immediate action. Bookmark this page and ensure all team members know where to find it. Every minute counts when credentials are compromised.
Common Incident Types
| Incident | Severity | First Action |
|---|---|---|
| Exposed AWS credentials | CRITICAL | Immediately disable access keys |
| Compromised IAM user | CRITICAL | Disable user, rotate credentials |
| Suspicious API activity | HIGH | Investigate CloudTrail logs |
| Unauthorized resources | HIGH | Terminate resources, investigate origin |
| Data breach suspicion | CRITICAL | Isolate affected resources, preserve logs |
Act Immediately
If you suspect credentials are compromised (committed to Git, exposed in logs, phishing, etc.), follow these steps WITHOUT DELAY.
Step 1: Disable the Access Key (Immediate)
Terminal
$aws iam update-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX --status Inactive --user-name compromised-user
(no output on success)
Or via Console:
- Go to IAM → Users → Select user
- Security credentials tab
- Click Make inactive on the access key
Step 2: Investigate Unauthorized Activity
Terminal
$aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAXXXXXXXXXXXXXXXX \
--start-time $(date -u -v-24H +%Y-%m-%dT%H:%M:%SZ) \
--end-time $(date -u +%Y-%m-%dT%H:%M:%SZ)
{
"Events": [
{
"EventTime": "2024-01-15T10:30:00Z",
"EventName": "RunInstances",
"Username": "compromised-user",
"Resources": [{"ResourceName": "i-0abc123..."}]
}
]
}Step 3: Terminate Unauthorized Resources
Bash
# List EC2 instances created by compromised user
aws ec2 describe-instances --filters "Name=tag:CreatedBy,Values=compromised-user" \
--query "Reservations[].Instances[].InstanceId"
# Terminate suspicious instances
aws ec2 terminate-instances --instance-ids i-0abc123 i-0def456
# Check for Lambda functions
aws lambda list-functions --query "Functions[?contains(FunctionName, 'suspicious')]"
# Check for new IAM users/roles
aws iam list-users --query "Users[?CreateDate>'2024-01-15']"
aws iam list-roles --query "Roles[?CreateDate>'2024-01-15']"Step 4: Create New Credentials
Terminal
$aws iam create-access-key --user-name compromised-user
{
"AccessKey": {
"UserName": "compromised-user",
"AccessKeyId": "AKIANEWKEYXXXXXXXX",
"SecretAccessKey": "NEW_SECRET_KEY_HERE"
}
}Step 5: Delete Old Access Key
Terminal
$aws iam delete-access-key --access-key-id AKIAXXXXXXXXXXXXXXXX --user-name compromised-user
(no output on success)
Step 6: Update Applications
Bash
# Update secrets in Secrets Manager
aws secretsmanager update-secret \
--secret-id my-app/aws-credentials \
--secret-string '{"access_key":"AKIANEWKEY...","secret_key":"NEW_SECRET..."}'
# Or update in Copilot
copilot secret init --name AWS_ACCESS_KEY_ID --values staging=AKIANEWKEY...
copilot secret init --name AWS_SECRET_ACCESS_KEY --values staging=NEW_SECRET...
# Redeploy services
copilot svc deploy --name frontend --env stagingCloudTrail Queries
Bash
# Find all API calls in the last 24 hours
aws cloudtrail lookup-events \
--start-time $(date -u -v-24H +%Y-%m-%dT%H:%M:%SZ) \
--max-results 50
# Find specific actions (e.g., IAM changes)
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser
# Find actions by specific user
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=Username,AttributeValue=suspicious-user
# Find console logins
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLoginGuardDuty Findings
Terminal
$aws guardduty list-findings --detector-id YOUR_DETECTOR_ID --finding-criteria '{"Criterion":{"severity":{"Gte":7}}}'
{
"FindingIds": ["abc123...", "def456..."]
}Terminal
$aws guardduty get-findings --detector-id YOUR_DETECTOR_ID --finding-ids abc123...
{
"Findings": [{
"Type": "UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration",
"Severity": 8,
"Description": "EC2 instance credentials were used from an external IP"
}]
}Enable GuardDuty
If not already enabled, GuardDuty provides intelligent threat detection.
aws guardduty create-detector --enablePlain Text
POST-INCIDENT SECURITY CHECKLIST
□ IMMEDIATE ACTIONS (First Hour)
□ Disabled/rotated compromised credentials
□ Terminated unauthorized resources
□ Preserved CloudTrail logs for forensics
□ Notified security team and management
□ INVESTIGATION (First 24 Hours)
□ Reviewed all CloudTrail events for compromised credentials
□ Checked for new IAM users, roles, or policies
□ Verified no unauthorized EC2/Lambda/ECS resources
□ Checked for S3 bucket policy changes
□ Reviewed network configurations (security groups, NACLs)
□ Checked for data exfiltration (S3 access logs, CloudWatch)
□ REMEDIATION (24-72 Hours)
□ Rotated ALL potentially affected credentials
□ Enabled MFA on all IAM users (if not already)
□ Reviewed and tightened IAM policies
□ Updated secrets in applications
□ Verified all services are functional with new credentials
□ PREVENTION (Week After)
□ Documented incident timeline and lessons learned
□ Updated security policies and procedures
□ Implemented additional monitoring/alerting
□ Conducted team security awareness training
□ Reviewed credential management practicesEmergency Contacts
Update This Section
Replace these placeholders with your actual emergency contacts:
Plain Text
SECURITY INCIDENT CONTACTS
Primary Security Contact:
Name: [Your Security Lead]
Phone: [Phone Number]
Email: security@yourcompany.com
AWS Account Owner:
Name: [Account Owner]
Phone: [Phone Number]
Email: [Email]
AWS Support (Enterprise/Business):
https://console.aws.amazon.com/support/
Phone: [Your AWS Support Number]
For critical security incidents, also consider:
- AWS Abuse Report: abuse@amazonaws.com
- AWS Trust & Safety: https://aws.amazon.com/security/