Responding to Security Events
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing AWS Certified Security - Specialty premium course — no separate purchase.
Included in this chapter:
- Capture evidence first, in the right order
- Contain, eradicate, recover, in that order
- Validate scope and find the root cause
- Respond to compromised credentials
- Exam-pattern recognition
Which AWS service for each step of responding to an event
| Response step | Amazon GuardDuty | AWS Security Hub | Amazon Detective | Automated Forensics Orchestrator |
|---|---|---|---|---|
| Primary role | Detect the threat and raise the finding | Aggregate and correlate findings, prioritize | Investigate scope and root cause | Capture and isolate forensic artifacts |
| Lifecycle phase served | Detection and analysis | Detection and analysis (triage) | Analysis (scope, RCA) | Containment and analysis |
| Works from | CloudTrail, VPC Flow Logs, DNS logs | Findings from GuardDuty, Inspector, Macie, checks | Behavior graph from CloudTrail and VPC Flow Logs plus ingested findings | Security Hub finding plus Step Functions workflow |
| Produces | A finding such as InstanceCredentialExfiltration | A prioritized, deduplicated finding inventory | Finding groups and a behavior graph for RCA | EBS snapshot and memory image in a forensics account |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.