Investigating a security compromise in AWS can be a dizzying prospect. There are (as of writing) over 200 services in AWS. To make matters worse, different services log in different formats to different locations. Some will write to CloudTrail, some to CloudWatch. Others display logs directly in a custom console, or an S3 bucket.
This playbook covers the AWS services you are most likely to encounter during security incidents in AWS. More specifically, it highlights tips for investigating and recovering from incidents in these various services including:
- EC2
- EKS
- ECS
- Lambda
- And more...