Also read Incident Response in GCP

What constitutes an incident in AWS?

A compromised account is an incident - as is a compromised VM.  Each of these merits a different level of response and requires different tooling to investigate.

EC2 Incidents
EC2 compromises are best handled with GuardDuty- and the tooling is now sophisticated to where it is simply a configuration through the console.
Account Compromise
Account compromises are a little harder - depending on the level of compromise. There isn't an easy tool - but a good starting point is IAM Access Analyzer
There are several other types of incidents. S3 bucket compromised, IAM credentials compromised etc. The starting point for investigating these is often security command center (or a tool that reports up to SCC).




Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.