Incident Response in AWS


In this two-day course, you’ll experience in real-time a cloud incident and subsequent data breach, simulated in a vulnerable-by-design application. Students will act as our fictional company’s incident response team, and experience the various phases of the IR lifecycle. As an adversary compromises our [simulated application](/projects/fooli/ we’ll cover detection, conduct a forensic investigation of the CloudTrail logs to determine what the attacker did, execute containment activities, and then perform an analysis to see if a data breach occurred.

Target Audience & Prerequisites

The class is targeted toward SOC analysts and security engineers who are new to AWS and need a crash course in CloudTrail, S3, IAM, Serverless, and the many ways the public cloud changes the incident response process. This class doesn’t teach you to be an incident responder; it will teach an incident responder how to respond in AWS. Students need only a basic understanding of AWS and their laptops, as the entire cloud environment will be pre-built for our incident.


This class is offered on-site in either a two or three-day format.

The two-day format is 7 hours each day (with an hour for lunch), while the three-day format is 4 hours each day. Both formats allow busy students time to deal with daily tasks, so they’re not forced to answer emails or put out fires during class.

Curriculum Outline

  1. Intro to the class, and the Fooli Meme Factory
  2. Introduction to AWS & Cloud Security
    • What is the Cloud
    • Shared Responsiblity
    • Identity vs Network Perimeter
    • AWS IAM
  3. Preparation
    • CloudTrail
    • GuardDuty
    • Account Management & Visibility
    • VPC FlowLogs
    • CSPM
  4. Building your Detection Catalog
  5. How to do CloudTrail Forensics
  6. Containment Strategies
  7. Running the Fooli Investigation
  8. Determining if a Data Breach occured
  9. EC2 Evidence Collection
  10. Conducting Forensics on EC2
  11. Lessons Learned, including what needs to be fixed in the Fooli app


On-site classes in the US & Canada are $15,000 for up to 20 students. PrimeHarbor will provide each student with their own Fooli lab environment. The hosting company only needs to provide a projector, wireless connectivity, and HTTP/HTTPS and SSH access to the internet.


This class leverages Splunk enterprise as the Fooli SEIM. All PrimeHarbor classes can be customized to reflect the tools and processes your company uses. Contact us for more information!