CLOUD IR — CLOUDTRAIL INVESTIGATION
EXPERT — AWS SECURITY INCIDENT RESPONSE
CLOUDTRAIL · GUARDDUTY · IAM · S3 · ATHENA · REMEDIATION
Connecting to AWS: account 123456789012 (apexcorp-prod)...

OBJECTIVES

Triage the GuardDuty findings
Identify the compromised IAM user
Find the privilege escalation event
Detect the backdoor access key creation
Identify the S3 data exfiltration
Find the unauthorized EC2 instances
Build the attack timeline
Submit the cloud IR report
📋
CloudTrail
🛡️
GuardDuty
👤
IAM Graph
🔎
Athena Query
⏱️
Timeline
📖
Reference
📋
IR Report
CLOUD IR LAB
CloudTrail
GuardDuty
IAM Graph
Athena
Timeline
Reference
IR Report
--:--:--
PHASE 1 — ALERT TRIAGE
MISSION BRIEF
EXPERT — AWS CLOUD INCIDENT RESPONSE

CLOUD IR — AWS INVESTIGATION

ACCOUNT: 123456789012 (apexcorp-prod) — us-east-1

SCENARIO

GuardDuty fired a HIGH severity finding at 02:17 UTC against the apexcorp-prod AWS account. Unusual IAM activity was detected from an IP address not previously seen for this principal. Investigate the CloudTrail logs, identify the full blast radius, and recommend remediation steps.

ENVIRONMENT

ResourceDetail
Account123456789012 (apexcorp-prod)
Regionus-east-1 (primary)
Alert time2026-05-08 02:17 UTC
IAM userdev-deploy (CI/CD service account)
Normal IP10.10.14.0/24 (internal CI)
Alert IP185.220.101.45 (external)

INVESTIGATION WORKFLOW

  • Start with GuardDuty — understand what fired
  • Open CloudTrail — filter by the compromised user
  • Check IAM Graph — visualise privilege changes
  • Use Athena to query CloudTrail logs at scale
  • Build the Timeline from key events
  • Complete the IR Report with remediation steps
CLOUDTRAIL — apexcorp-prod — 2026-05-08
All
IAM
S3
EC2
Suspicious
— events
Time (UTC)
User
Service
Event
Region
Click an event to inspect it
GUARDDUTY — apexcorp-prod
3
HIGH
2
MEDIUM
1
LOW
IAM PRIVILEGE GRAPH — dev-deploy
ATHENA — CloudTrail Query Engine
dev-deploy events
IAM escalation
S3 exfil
EC2 mining
backdoor keys
attacker IP
failed logins
log tampering
Select a preset or write a SQL query to search CloudTrail logs...
ATTACK TIMELINE
CLOUD INCIDENT TIMELINE
0 events
Add events from CloudTrail by clicking "Add to Timeline" in the detail pane.
REFERENCE — AWS CLOUD IR
IAM PRIVILEGE ESCALATION
Common escalation paths in AWS:

iam:AttachUserPolicy — attaches a managed policy directly to a user
iam:PutUserPolicy — adds an inline policy to a user
iam:CreatePolicyVersion — creates a new version of an existing policy
iam:SetDefaultPolicyVersion — sets an older, more permissive version
iam:PassRole + ec2:RunInstances — run an EC2 with a privileged role

The simplest: AttachUserPolicy with AdministratorAccess.
CLOUDTRAIL KEY EVENTS
IAM: AttachUserPolicy / DetachUserPolicy CreateAccessKey / DeleteAccessKey CreateUser / DeleteUser AssumeRole / SwitchRole S3: GetObject (exfiltration) PutBucketPolicy (permission change) DeleteObject / DeleteBucket EC2: RunInstances (new compute) TerminateInstances CreateSecurityGroup CloudTrail: DeleteTrail (logging disruption) StopLogging
GUARDDUTY FINDING TYPES
IAMUser/CredentialExposure — creds used from unusual location
IAMUser/AnomalousBehavior — unusual API call pattern
UnauthorizedAccess/IAMUser:* — API calls from known bad IP
Discovery:S3/BucketEnumeration — listing S3 buckets
Exfiltration:S3/ObjectRead — unusual S3 data access
CryptoCurrency:EC2/BitcoinTool — mining activity
IMMEDIATE CONTAINMENT
# Disable IAM user aws iam update-login-profile --user-name dev-deploy --no-password-reset-required aws iam delete-login-profile --user-name dev-deploy # Revoke access keys aws iam update-access-key --access-key-id AKIA... --status Inactive aws iam delete-access-key --access-key-id AKIA... # Detach escalated policy aws iam detach-user-policy --user-name dev-deploy \ --policy-arn arn:aws:iam::aws:policy/AdministratorAccess # Terminate rogue instances aws ec2 terminate-instances --instance-ids i-xxxxx
NOTEPAD
CLOUD IR REPORT
AWS INCIDENT FINDINGS
Score: 0 / 8