Cloud incidents require adapted response procedures. The shared responsibility model means coordinating with providers. The API-driven nature enables automated response.
Preparation
Before incidents happen:
- Document cloud architectures
- Establish provider contacts
- Create response playbooks
- Test backup and recovery
Detection
Cloud-native detection sources:
- Cloud audit logs
- Flow logs
- Security service alerts
- Application telemetry
Containment
Automated containment actions:
# Isolate compromised instance
ec2.modify_instance_attribute(
InstanceId=instance_id,
Groups=['sg-isolated']
)
Evidence Collection
Preserve volatile data:
- Instance metadata
- Memory dumps
- Network connections
- Running processes
Lessons Learned
Every incident is a learning opportunity. Conduct blameless postmortems and update procedures.