Incident Response with CloudTrail and Athena

Learn how to effectively respond to incidents in your AWS accounts regardless of whether you are running a single or multi-account setup using CloudTrail Lake and Athena — two native AWS services.

This Incident Response (IR) course simulates attacks against your AWS environments that have been seen in the real-world. After simulating attacks, you’ll put on your security analyst hat to respond to the incident. You will then learn how to follow IR playbooks from AWS and eventually even create your own by following NIST’s 4 phases:

  • Preparation
  • Detection and Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity

You’ll learn how to gather information to understand what’s going on and what resources are involved, and how to properly contain the affected resources. You will then take steps to eradicate the threat, recover (and harden) your configurations, and put together a report that you can turn into an updated playbook specific to your environments and use cases.

The attack scenarios and end-to-end projects include:

  • IAM credentials exposure to S3 backdoor and data exfiltration
  • IAM credentials exposure to EC2 cryptomining

The final section of the course will then show you how to take what you’ve learned and apply it to multi-account setups.

This course is now available in Early Access, which means that a lot of content has been added and you can enroll, but not all of the content is yet available. Some lessons may also be text-only while videos are being created.

Christophe · January 24, 2024


  • Introduction -> Available
  • Preparing your AWS account -> Available
  • Incident Response with CloudTrail Lake -> Available
  • Incident Response with Athena -> Available
  • Incident Response for multi-account -> not yet available, but coming mid-May

Who is it for?

🔵 Anyone interested in learning about AWS Incident Response (IR). You will pick up new skills that can be applied directly on the job for both security and operational troubleshooting purposes.

🔴 This course will also help red teamers since it will show how your actions get logged and can be used in investigations. Understanding that is critical to reducing your footprint and avoiding detection.

What will you learn?

  • How to enable Identity Center for user and role management
  • How to configure and use CloudTrail Lake for IR
  • How to craft SQL queries to find the information you need
  • How to configure and use Athena for IR
  • How to write & use scripts to simulate attacks and test defenses

What makes this course different

🛠️ Hands-On and Practical: This course has very little theory and a whole lot of practical. Get ready to learn by deploying resources, configuring those resources, simulating attacks, and running queries to get to the bottom of an incident.

💎 Production quality: We’ve been developing cloud and security training material for over 8 years and have taught hundreds of thousands of IT professionals all the way from individuals to Fortune 500 companies. Our production quality is top-notch and not only reflects expert experience but focuses on building practical skills.

Recommended Pre-Requisites

About the Author

This course was created, developed, and published by Christophe Limpalair. Christophe is the founder and an author at Cybr, where he’s published many courses on topics of ethical hacking. Over the past 8 years, Christophe has taught multiple AWS courses including associate and professional-level AWS certification courses, and helped tens of thousands of learners get certified and build practical skills. He also helped pioneer, develop, maintain, and secure Linux Academy’s Hands-On Labs and Assessments technology which ran as a $1m+ budget on AWS, and which has since become the lab platform used by Pluralsight. He shares his AWS security expertise in this course to help you get started learning how to secure your own AWS resources and environments.

  • Lab repository and files

Course Content


Preparing your AWS account
Incident Response with CloudTrail Lake
Incident Response with Athena
Incident Response for multi-account

About Instructor


18 Courses

Not Enrolled

Course Includes

  • 49 Lessons