AWS CIRT Useful Links
AWS CIRT (Customer Incident Response Team) have provided a list of useful links that will help those who want to understand more about Incident Response (IR)
Ben Fletcher
Amazon Employee
Published Feb 27, 2025
Playbooks
This collections of files is provided as an example framework for customers to create, develop, and integrate security playbooks in preparation for potential attack scenarios when using AWS services.
https://github.com/aws-samples/aws-customer-playbook-framework
This collections of files is provided as an example framework for customers to create, develop, and integrate security playbooks in preparation for potential attack scenarios when using AWS services.
https://github.com/aws-samples/aws-customer-playbook-framework
Cloud Saga
AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
https://github.com/awslabs/aws-cloudsaga
AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (AWS) environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).
https://github.com/awslabs/aws-cloudsaga
Assisted log enabler
Assisted Log Enabler for AWS is for customers who do not have logging turned on for various services, and lack knowledge of best practices and/or how to turn them on.
https://github.com/awslabs/assisted-log-enabler-for-aws
Assisted Log Enabler for AWS is for customers who do not have logging turned on for various services, and lack knowledge of best practices and/or how to turn them on.
https://github.com/awslabs/assisted-log-enabler-for-aws
Safe Room
The Safe Room" is an engaging Twitch series focused on cloud security and incident response in AWS environments.
https://community.aws/livestreams/the-safe-room
The Safe Room" is an engaging Twitch series focused on cloud security and incident response in AWS environments.
https://community.aws/livestreams/the-safe-room
Security Ramp-Up
Whether you're new to AWS or seeking a deeper understanding, join us as we break down barriers and simplify the journey to mastery. Elevate your skills with our team of experts in a fun and entertaining me.
https://community.aws/livestreams/security-ramp-up
Whether you're new to AWS or seeking a deeper understanding, join us as we break down barriers and simplify the journey to mastery. Elevate your skills with our team of experts in a fun and entertaining me.
https://community.aws/livestreams/security-ramp-up
Workshops
Five workshops that simulate these security events to help you learn the tools and procedures that AWS CIRT uses on a daily basis to detect, investigate, and respond to such security events. The workshops cover AWS services and tools, such as Amazon GuardDuty, Amazon CloudTrail, Amazon CloudWatch, Amazon Athena, and AWS WAF, as well as some open source tools written and published by AWS CIRT.
https://aws.amazon.com/blogs/security/aws-cirt-announces-the-release-of-five-publicly-available-workshops/
Five workshops that simulate these security events to help you learn the tools and procedures that AWS CIRT uses on a daily basis to detect, investigate, and respond to such security events. The workshops cover AWS services and tools, such as Amazon GuardDuty, Amazon CloudTrail, Amazon CloudWatch, Amazon Athena, and AWS WAF, as well as some open source tools written and published by AWS CIRT.
https://aws.amazon.com/blogs/security/aws-cirt-announces-the-release-of-five-publicly-available-workshops/
Skill builder training
AWS CIRT worked with AWS Training to create free courses to help you skill-up on IR.
https://explore.skillbuilder.aws/learn/courses/22165/aws-security-incident-response-user-training/lessons
AWS CIRT worked with AWS Training to create free courses to help you skill-up on IR.
https://explore.skillbuilder.aws/learn/courses/22165/aws-security-incident-response-user-training/lessons
Prowler
This open source project was created by a previous AWS SA. It
https://github.com/prowler-cloud/prowler
We also have a Security Ramp-Up episode which covers the tool
https://github.com/prowler-cloud/prowler
We also have a Security Ramp-Up episode which covers the tool
Security Incident Response Service
Through AWS CIRT's experience we realised that customers wanted more IR support. As such we launched this service at AWS Re:Invent 2024
IR Whitepaper
This guide presents an overview of the fundamentals of responding to security incidents within a customer’s Amazon Web Services (AWS) Cloud environment. It provides an overview of cloud security and incident response concepts and identifies cloud capabilities, services, and mechanisms that are available to customers who respond to security issues.
https://aws.amazon.com/blogs/security/updated-whitepaper-available-aws-security-incident-response-guide/
This guide presents an overview of the fundamentals of responding to security incidents within a customer’s Amazon Web Services (AWS) Cloud environment. It provides an overview of cloud security and incident response concepts and identifies cloud capabilities, services, and mechanisms that are available to customers who respond to security issues.
https://aws.amazon.com/blogs/security/updated-whitepaper-available-aws-security-incident-response-guide/
Re:Inforce Presentation
This was a chalk and talk that was given at Re:Inforce 2024 covering the new tactics and techniques for proactive threat detection.
https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.