=====Cyber Security Incident Response Plan=====
===Table 1 - Control Satisfaction===
^ Standard ^ NIST Category ^ Controls Satisfied ^ Audit Controls ^
| NIST 800-53rev4 | - | - | - |
===Table 2 - Major Document History===
^Date^Comment^Who^
|12/19/2019|Initial Doc|Tharp|
----
=====Response Plan Overview=====
{{:security:pasted:20191220-003019.png}}
====Response Plan Compromised Instance or exposed Access Keys====
- Change the root password and passwords for all IAM users
- Add / Validate MFA for all Admin users and console access users
- Create new EC2 key pairs and update instances (delete compromised keys)
- Relaunch the instance and create new AMI to relaunch if needed; edit ssh/authorized keys file
- Rotate and delete IAM access keys
- Delete unrecognized or unauthorized resources
* Instances
* IAM Users
* Spot Bids
- Contact AWS Support
* Respond to abuse notifications
**Often times the worst attacks occur after the first vulnerability appears to have been remediated. Be Vigilant!!!**