Table of Contents
Cyber Security Incident Response Plan
Table 1 - Control Satisfaction
| Standard | NIST Category | Controls Satisfied | Audit Controls |
|---|---|---|---|
| NIST 800-53rev4 | - | - | - |
Table 2 - Major Document History
| Date | Comment | Who |
|---|---|---|
| 12/19/2019 | Initial Doc | Tharp |
Response Plan Overview
Response Plan Compromised Instance or exposed Access Keys
- Change the root password and passwords for all IAM users
- Add / Validate MFA for all Admin users and console access users
- Create new EC2 key pairs and update instances (delete compromised keys)
- Relaunch the instance and create new AMI to relaunch if needed; edit ssh/authorized keys file
- Rotate and delete IAM access keys
- Delete unrecognized or unauthorized resources
- Instances
- IAM Users
- Spot Bids
- Contact AWS Support
- Respond to abuse notifications
Often times the worst attacks occur after the first vulnerability appears to have been remediated. Be Vigilant!!!