How is incident response in cloud?

An incident is an event that could lead to loss of, or disruption to, an organization’s operations, services or functions. Incident management is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.

For example, Unauthorized access, attempts to break into the system, data loss etc.

Incident Response, is an approach to address and prevent similar security events from being happening in the organization. This should limit the damage, reduce downtime and reduces overall cost.

You can use AWS Guardrails to get the list of incidents which is happening in your cloud ecosystem. Some incidents like :

  1. Exposing cloud access & secret keys: One of the most common use cases in an organization, since many GitHub developers store access in GitHub code. This is highly not recommended. What to do if the access key is exposed:
  • Find access rights of the key exposed.

  • Disable the credentials since it is a production environment not delete it. Deleting may cause a business impact.

  • Always check all logs, Cloud trails. There is a chance that attackers would have created temporary credentials using the AWS STS service. So disabling will not always help.

  • Add an “Explicit Deny” option in IAM to all cloud functionalities of that IAM user. This is the best approach to fix the temporary credential issue. Or remove all the policies which are associated with the user.

  1. Compromised cloud instance