=====Cyber Security Incident Response Plan=====

<WRAP TODO>
===Table 1 - Control Satisfaction===

^ Standard         ^ NIST Category  ^ Controls Satisfied  ^ Audit Controls  ^
| NIST 800-53rev4  | -              | -                   | -               |

===Table 2 - Major Document History===
^Date^Comment^Who^
|12/19/2019|Initial Doc|Tharp|

</WRAP>
----

=====Response Plan Overview=====

{{:security:pasted:20191220-003019.png}}



====Response Plan Compromised Instance or exposed Access Keys====

  - Change the root password and passwords for all IAM users
  - Add / Validate MFA for all Admin users and console access users
  - Create new EC2 key pairs and update instances (delete compromised keys)
  - Relaunch the instance and create new AMI to relaunch if needed; edit ssh/authorized keys file
  - Rotate and delete IAM access keys
  - Delete unrecognized or unauthorized resources<WRAP Indent>
  * Instances
  * IAM Users
  * Spot Bids
</WRAP>
  - Contact AWS Support<WRAP Indent>
  * Respond to abuse notifications
</WRAP>

**Often times the worst attacks occur after the first vulnerability appears to have been remediated. Be Vigilant!!!**