Lesson 2 of 46
In Progress

About the course

Christophe January 24, 2024

Welcome to Cybr’s Incident Response with CloudTrail and Athena course!

This course is designed to equip you with the knowledge and skills necessary to effectively use AWS CloudTrail data for responding to incidents in your AWS accounts regardless of whether you are running a single or multi-account setup.

Preparing your AWS account

In the first section of this course, we’ll prep your AWS account for our lab scenarios. First, we’ll talk about and create multiple different roles we will need and use throughout the course to follow the principle of least privilege and to learn how to quickly and effectively get the permissions you need to:

  • Analyze
  • Contain
  • Eradicate
  • Recover

As you are responding to a real-world incident.

Instead of using IAM Users, Groups, and Roles, we will be enabling AWS IAM Identity Center, which is the preferred method of managing users and access to your AWS accounts, regardless of whether you are using one single account or many.

If you don’t have experience with Identity Center, don’t worry, I’ll walk you through it step-by-step.

Simulating an S3 backdoor and data exfil

In the second section, we’ll deploy lab resources and run a simulated incident involving an S3 bucket, sensitive data stored in that bucket, and a threat actor who used compromised credentials to create an S3 backdoor and exfiltrate sensitive customer data.

You will learn how to configure event data stores and query log data using CloudTrail Lake to properly analyze the incident and gather enough information to understand exactly what happened, what resources were involved, and what the next steps need to be.

Lake is a feature of CloudTrail that lets you query CloudTrail log data using SQL, which makes it really easy to jump in and investigate issues, run audits, or investigate a reported incident.

In this section of the course, you will learn hands-on how to write, run, and edit SQL queries to find the information you need to analyze the event and understand the scope of the incident and how you or your team need to respond.

We’ll then assume the correct roles in order to contain the affected resources, and to then eradicate the threat and recover as well as harden our affected account and resources.

After that, we’ll debrief by writing a report, creating a playbook we can use for future incidents, and lessons learned with recommended actions to prevent this incident from happening again.

Simulating crypto mining

In the following section, we’ll simulate a different breach involving a threat actor and unauthorized cryptocurrency mining. We’ll learn about Amazon Athena and how to use it for incident response in your cloud environment.

The main difference between CloudTrail Lake and Athena is that although Lake is fairly powerful, its primary benefit is how quick it is to get up and running. Depending on how much data we’re talking about, Lake can be up and running and providing you with answers within just a few minutes.

Athena, on the other hand, is more powerful but takes longer to set up correctly.

Lake is also more limited in terms of what date you can query, whereas Athena can let you query from many different sources, including application and traffic logs stored in S3.

There are other differences, but I’m still working on this section of the course and I’ll share more about this section once it has been fully created and once the course is out of Early Access.

Incident Response for multi-account

Once we’ve run through our incident response scenarios, we’ll wrap up the course by transitioning from single-account to multi-account.

We’ll explore multi-account architecture and deployments, we’ll talk about centralizing logs in a Log Archive account, centralizing our security tooling in a Security Tooling account, and transitioning our permission sets and roles from single-account to multi-account.

That way, you can take what you’ve learned from this course and apply it to your multi-account setups.

Playbooks we’ll be referencing throughout the course

As we progress throughout the course, there are playbooks developed and shared by AWS that I will be referencing. While the scenarios, steps, and attack simulations will be a little bit different in this course, I still recommend familiarizing yourself with these public playbooks to give you a general idea of what we’ll be doing, and because they are all around helpful resources.

The first playbook is the IAM credential exposure playbook, and the second is the EC2 crypto mining playbook.

I’ve also created a cheat sheet that graphically represents the first playbook and that you can download:

AWS Incident Response Cheat Sheet for IAM credential exposure

I also recommend going through the content on CloudSec.Cybr for more information on IR, Threat Detection, and more.


Whether you’re a security professional, a cloud architect, or just someone who wants to learn more about AWS security and incident response, this course will provide you with practical techniques and best practices that you can take and apply directly on the job.

This is a practical and hands-on course, so be prepared to roll up your sleeves!

If you have any questions about this course, please reach out in our community. Otherwise, I hope you’re excited to get started and I’ll see you in the course!


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.