This document provides an overview of responding to incidents in AWS environments. It discusses AWS authentication and authorization, control and data planes, the shared responsibility model, and building an incident response flow. It emphasizes having a services inventory, assessing knowledge gaps, implementing guardrails, threat modeling, structuring response actions, and validating preparations through simulation. The goal is to continuously research, improve detections, train teams, and develop resources to respond to issues across AWS services.
3. $ aws --profile Rodrigo Montoro sts get-caller-identity
● Head of Threat & Detection Research at Clavis Security
● Living in Florianópolis (Silicon Island)
● Author of 2 patented technologies (US Patent Office)
● Speaker in different conferences (Brazil,USA,Canada)
● Proud Dad and Husband
● Full Ironman triathlon (2x)
● Crossfit and Powerlifting
5. Agenda
Introduction to AWS ecosystem
1
Control Plane & Data Plane
The deFAULT truth of AWS shared responsibility model
Building an incident response flow
Conclusions
25. Inventory knowledge self assessment
Service Service Context Level (low to
critical)
Knowledge (1 to 5) Existing Detections /
Researches (1 to 5)
iam critical 3 4
ec2 high 4 4
appstream medium 3 2
sagemaker medium 1 1
rds high 2 3
redshift medium 1 1
* researching/developing idea for a threat score
*
26. Guardrails & Security Architecture
● Deny services you don’t need
● Use conditions in your privilege policies
● Be ready to use AWSCompromisedQuarentinev2
● Use different accounts
● Least privilege
27. Threat Modeling / Researches
source: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/
Map the path
from attacker to
my assets and
possible attack
techniques
Research how
attack techniques
mapped works
and data source
events need to
detect
Create detections
based on
requirements. Try
to analyze events
from real world.
Analyze
False Positives
and False
Negatives.
Deploy in “testing
mode” and keep
improving until
production.
Monitor metrics.
31. Future and Conclusions
● Don’t trust default configurations
● Good architecture helps monitoring
● Know what you are running
● Find your knowledge gaps
● Keep researching and improving detections
● Make sure you train your team
● Build an Uncommon services Incident Response Cheatsheet