This course is a guided practice use case. It invites you to investigate a security incident involving compromised AWS Identity and Access Management (IAM) credentials by using the Security Incident Workflow process. The topics covered in this course are 200-level and require you to understand how to use various services in Amazon Web Services (AWS). You are encouraged to complete the AWS Security Incident Response Overview course before taking this course to gain a deeper understanding of the investigation process. There are two modules in the AWS Security Incident Response Overview course: Module 1: Define Security Incident Response and Module 2: Use AWS Services to Investigate Security Incidents.
Course level: Intermediate
Duration: 40 minutes
Activities
This course includes interactive learning objects.
Course objectives
In this course, you will learn to:
- Identify the source of an alert using Amazon GuardDuty.
- Review events in AWS CloudTrail to determine the scope of an incident.
- Use the IAM console to deactivate access for any compromised IAM user.
- Delete or rotate access keys from the IAM console.
Intended audience
This course is intended for:
Security engineers
Security operations center (SOC) analysts, incident analysts (responders), and security operations (SecOps)
Security managers and security principals
Prerequisites
We recommend that attendees of this course have:
AWS Security Incident Response Overview course, which provides the foundational knowledge you will need to investigate a security incident
AWS Security Fundamentals (Second Edition), which provides baseline training on how the AWS services work
Course outline
Topic 1: Navigation
How to Use This Course
Topic 2: Introduction
Welcome
Topic 3: Compromised IAM Credentials Guided Practice
Compromised IAM Credentials Introduction
Part 1: Detect
Part 2: Analyze
Part 3: Contain
Part 4: Analyze
Part 5: Eradicate
Part 6: Recover
Summary
Topic 4: Additional Help
Learn More
Topic 5: For Students
Contact Us
