Free AWS Security Whitepaper
    Toc Consulting Logo
    12 Playbooks - NIST Framework

    AWS Incident Response Playbooks

    Step-by-step runbooks with real AWS CLI commands. Detection → Containment → Eradication → Recovery → Lessons Learned.

    By Toc Consulting - AWS Security & Cloud Architecture

    CRITICALCredential Compromise
    iamcloudtrailguarddutystssecurityhub

    Compromised IAM Access Keys

    Leaked or stolen long-term credentials

    access-keyscredential-leaklateral-movementexfiltration
    15-30 min17 steps
    Read Playbook
    CRITICALData Exposure
    s3cloudtrailmacieconfigsecurityhub

    Exposed / Public S3 Bucket

    Unintended public access to sensitive data

    s3public-accessdata-leakbucket-policy
    10-20 min16 steps
    Read Playbook
    HIGHMalware
    ec2guarddutycloudwatchvpccloudtrail

    EC2 Crypto Mining

    Unauthorized cryptocurrency mining on EC2 instances

    crypto-miningec2cost-spikemalware
    20-40 min16 steps
    Read Playbook
    CRITICALMalware
    ec2ssmguarddutyebsvpc+1

    Compromised EC2 Instance

    Malware, backdoor, or unauthorized access on EC2

    ec2malwarebackdoorlateral-movement
    30-60 min15 steps
    Read Playbook
    CRITICALCredential Compromise
    iamcloudtrailorganizationssns

    Unauthorized Root Account Access

    Root credentials compromised or abused

    root-accountmfacredential-compromiseaccount-takeover
    10-15 min16 steps
    Read Playbook
    HIGHMalware
    lambdacloudtrailcloudwatchiam

    Lambda Function Abuse

    Malicious code execution or resource abuse via Lambda

    lambdaserverlesscode-injectionexecution-role
    20-30 min15 steps
    Read Playbook
    CRITICALData Exposure
    rdsvpccloudtrailconfigsecrets

    RDS Database Exposure

    Database publicly accessible or credentials leaked

    rdsdatabasepublic-accesscredential-leak
    20-30 min15 steps
    Read Playbook
    CRITICALCredential Compromise
    secretscloudtrailiamguarddutykms

    Secrets Manager / Credential Leak

    Secrets accessed or exfiltrated from Secrets Manager

    secrets-managercredential-leakapi-keysdatabase-credentials
    20-40 min15 steps
    Read Playbook
    HIGHNetwork Attack
    wafcloudfrontroute53elb

    DDoS Attack

    Distributed denial-of-service targeting your AWS workloads

    ddoswafshieldcloudfront
    15-30 min15 steps
    Read Playbook
    CRITICALSupply Chain
    ecrlambdacodebuildinspector

    Supply Chain Attack

    Compromised dependency or container image

    supply-chaindependencycontainermalicious-package
    30-60 min16 steps
    Read Playbook
    CRITICALPrivilege Escalation
    iamcloudtrailguarddutyconfigsecurityhub

    IAM Privilege Escalation

    Unauthorized elevation of IAM permissions

    iamprivilege-escalationpolicy-modificationrole-assumption
    20-40 min15 steps
    Read Playbook
    HIGHData Exposure
    vpcroute53guarddutynetworkfirewall

    Data Exfiltration via DNS/VPC

    Covert data theft through DNS tunneling or VPC channels

    dns-tunnelingdata-exfiltrationvpc-flow-logscovert-channel
    30-45 min15 steps
    Read Playbook

    Need Help with Incident Response?

    When an incident strikes, every minute counts. We help AWS teams prepare, detect, and respond to security incidents with proven playbooks and hands-on expertise.

    Get in Touch