Skip to main content

AWS Solutions Library

Guidance for Security Incident Response on AWS

Reduce threats by responding effectively to security vulnerabilities

Overview

This Guidance helps you to effectively respond to a security incident based on decisions that are specified in your incident response plan. The response involves characterizing the nature of the incident and making changes, which may involve activities including restoration of operational status, identification and remediation of root cause, and gathering evidence pursuant to civil or criminal prosecution.

How it works

These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.

Download the architecture diagram

Additional considerations

Due to the critical need for data protection, regulatory compliance, and the complex nature of the cloud infrastructure, this Guidance for Security Incident Response on AWS is an essential component in building your cloud foundation.

The cloud's scalability and rapid resource deployment capabilities present both advantages and risks. While businesses benefit from the agility the cloud provides, malicious actors can exploit vulnerabilities. An effective security incident response plan is essential for coordinating efforts and promptly addressing security threats. Additionally, the shared responsibility model in cloud computing necessitates a clear understanding of security responsibilities between the cloud provider and you.

Effectively responding to security incidents includes collecting and preserving evidence for analysis. Which is why this Guidance extends beyond containment and mitigation to post-incident analysis and continuous improvement. The insights gained from post-incident analysis can inform security enhancements, policy updates, and overall improvements to an organization's security posture.

Related content

  • Stakeholders: Security (primary), Central IT, Networking
  • Supporting Capabilities: Vulnerability and Threat Management, Identity Management and Access Control, Observability, Resource Inventory Management, Network Security

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.