conducting-cloud-incident-response

# Conducting Cloud Incident Response ## When to Use - Cloud security posture management (CSPM) alerts on unauthorized resource changes - CloudTrail, Azure Activity Logs, or GCP Audit Logs show suspicious API calls - Cloud access keys or service principal credentials are suspected compromised - Unauthorized compute instances, storage buckets, or IAM changes are detected - A cloud-hosted application is breached and attacker activity spans cloud services **Do not use** for on-premises-only incidents with no cloud component; use standard enterprise IR procedures. ## Prerequisites - Cloud-native logging enabled and centralized: AWS CloudTrail (all regions), Azure Activity/Sign-in Logs, GCP Cloud Audit Logs - IR-specific cloud IAM roles pre-provisioned with read-only forensic access - Isolated forensic account/subscription/project for evidence preservation - Cloud incident response runbooks specific to each cloud provider - Cloud-native security tools: AWS GuardDuty, Azure Defender for Cloud, GCP Security Command Center - Network traffic logging: VPC Flow Logs (AWS/GCP), NSG Flow Logs (Azure) ## Workflow ### Step 1: Detect and Confirm the Cloud Incident Identify the scope and nature of the compromise: **AWS Indicators:** ``` CloudTrail suspicious events to investigate: - ConsoleLogin from unexpected geolocation or IP - CreateAccessKey for existing IAM user (persistence) - RunInstances for crypto-mining (large instance types) - PutBucketPolicy making S3 bucket public - Assu...