Incident Response with CloudTrail and Athena
-
Introduction
Start here! -
About the course
-
Important! Use a separate AWS account for this course
-
Optional but helpful tools
-
[LAB] Enable budget alerting
-
Preparing your AWS accountThe roles we need
-
Enable IAM Identity Center
-
Creating the SecurityAnalyst role
-
Assuming roles created through Identity Center
-
Creating remaining roles
-
Incident Response with CloudTrail LakePlaybook - Compromised IAM access key
-
Configuring CloudTrail Lake
-
Deploying lab resources
-
Simulating an attack - S3 backdoor and data exfil
-
Analysis - Validate
-
Containment - Access Key
-
Analysis - Scope
-
Containment - User and S3 Bucket
-
Analysis - Impact
-
Eradication
-
Recovery
-
Post-incident activity
-
Response Steps & Complete Playbook (Recap)
-
Cleaning up
-
Incident Response with AthenaPlaybook - Cryptocurrency mining
-
Updating our permission sets
-
Configuring our AWS environment
-
Simulating an attack
-
Analysis - Validate
-
Containment - User & Access Key
-
About Athena
-
Configuring Athena
-
Analysis - Scope - Part 1
-
Analysis - Scope - Part 2
-
Analysis - Scope - Part 3
-
Containment - Backdoor User
-
Containment - Instances
-
Analysis - EC2 Forensics
-
Analysis - Impact
-
Eradication
-
Recovery
-
Post-incident activity
-
Response Steps & Complete Playbook (Recap)
-
Cleaning up
-
Incident Response for multi-accountMulti-account architecture for security logging
-
Deploying roles for multi-account IR
-
Multi-account CloudTrail deployment
-
Enable centralized CloudTrail Lake Event Data Stores and Queries
-
About deploying with IaC
-
ConclusionWhat now?
Before we get started, I want to share tools that can make your life easier when it comes to assuming roles. I won’t be using these in this course because I don’t want to force you to use a tool if you’re not interested. What we’re going to do in this course can be purely done using native AWS tools. These 3rd party tools are completely optional:
All of these tools will help you achieve similar objectives, it just comes down to personal preference.
As a general rule of thumb, I’d recommend aws-sso-cli for when you are using Identity Center pretty much exclusively.
I’d recommend aws-vault if you still also use IAM users and long-term access keys for some use cases.
I’d recommend Granted when you are running multi-account setups.
Give them all a shot and see which you prefer!
Responses