Incident Response with CloudTrail and Athena
-
Introduction
Start here! -
About the course
-
Important! Use a separate AWS account for this course
-
Optional but helpful tools
-
[LAB] Enable budget alerting
-
Preparing your AWS accountThe roles we need
-
Enable IAM Identity Center
-
Creating the SecurityAnalyst role
-
Assuming roles created through Identity Center
-
Creating remaining roles
-
Incident Response with CloudTrail LakePlaybook - Compromised IAM access key
-
Configuring CloudTrail Lake
-
Deploying lab resources
-
Simulating an attack - S3 backdoor and data exfil
-
Analysis - Validate
-
Containment - Access Key
-
Analysis - Scope
-
Containment - User and S3 Bucket
-
Analysis - Impact
-
Eradication
-
Recovery
-
Post-incident activity
-
Response Steps & Complete Playbook (Recap)
-
Cleaning up
-
Incident Response with AthenaPlaybook - Cryptocurrency mining
-
Updating our permission sets
-
Configuring our AWS environment
-
Simulating an attack
-
Analysis - Validate
-
Containment - User & Access Key
-
About Athena
-
Configuring Athena
-
Analysis - Scope - Part 1
-
Analysis - Scope - Part 2
-
Analysis - Scope - Part 3
-
Containment - Backdoor User
-
Containment - Instances
-
Analysis - EC2 Forensics
-
Analysis - Impact
-
Eradication
-
Recovery
-
Post-incident activity
-
Response Steps & Complete Playbook (Recap)
-
Cleaning up
-
Incident Response for multi-accountMulti-account architecture for security logging
-
Deploying roles for multi-account IR
-
Multi-account CloudTrail deployment
-
Enable centralized CloudTrail Lake Event Data Stores and Queries
-
About deploying with IaC
-
ConclusionWhat now?
Important! Use a separate AWS account for this course
Christophe January 28, 2024
Do not use an existing AWS account for this course unless it’s meant strictly for sandboxing! Create a new and separate AWS account that does not have any relationship to production accounts. This is very important because we are going to be performing changes and destructive actions on purpose.
There’s also no excuse not to create a sandbox account, because creating a new and separate account is super easy. A quick trick for this is to use the + symbol in your email. So for example, if your email address is:
cybrisfun@gmail.com
Code language: CSS (css)
You can create a new account with:
cybrisfun+1@gmail.com
cybrisfun+2@gmail.com
...
[email protected]
...
Code language: CSS (css)
Or it can be text instead of numbers, but you get the idea.
If you are starting from a brand new account already, then you are good to go. But do not continue on with this course on an account that runs any sort of production resources whatsoever. This is very important.
Responses