Incident Response in AWS


In this two-day course, you’ll experience a cloud incident and subsequent data breach in real-time, simulated in a vulnerable-by-design application. Students will act as our fictional company’s incident response team and experience the various phases of the IR lifecycle. As an adversary compromises our simulated application, we’ll cover detection, conduct a forensic investigation of the CloudTrail logs to determine what the attacker did, execute containment activities, and then perform an analysis to see if a data breach occurred.

Target Audience & Prerequisites

The class targets SOC analysts and security engineers new to AWS and need a crash course in CloudTrail, S3, IAM, Serverless, and the many ways the public cloud changes the incident response process. This class doesn’t teach you to be an incident responder; it will teach an incident responder how to respond in AWS. Students need only a basic understanding of AWS and their laptops, as the entire cloud environment will be pre-built for our incident.


This class is offered on-site in either a full or half-day format.

The full-day format is 7 hours each day (with an hour for lunch), while the half-day format is 4 hours each day. Both formats allow busy students time to deal with daily tasks, so they’re not forced to answer emails or put out fires during class. If you have more than 15 students, or need to provide operational coverage, we can support morning and afternoon cohorts.

Curriculum Outline

Day 1

  1. Intro to the class
  2. Introduction to AWS & Cloud Security
  3. Break
  4. Lab 1 - Introduction to Fooli
  5. Preparation
  6. Lunch
  7. Investigations in CloudTrail
  8. Lab 2 - Investigating a CryptoMining Incident
  9. Running the Fooli Investigation
  10. Break
  11. Containment Strategies
  12. Lab 3 - Containing the Fooli Breach

Day 2

  1. Recap of Day 1
  2. Day Two of the Investigation (Ransom note)
  3. Forensics on EC2
  4. Break
  5. Lab 4 - EC2 Forensics
  6. Logging & Other Forensics
  7. Lunch
  8. Determining a Data Breach
  9. Lab 5 - CloudTrail & Athena
  10. Break
  11. Incident Review & Lessons Learned
  12. Review the Incident from the Attacker’s perspective
  13. Wrap up & Take Away

Day 3 (optional)

The optional third day focuses on remediation issues and eradicating and recovering the meme factory.

  1. Review of the Fooli CSPM Findings
  2. Fooli IAM Failures
  3. Fooli Network Failures
  4. Fooli Application Failures

Each section will include a lecture on how to fix the issues and the general trade-offs and impacts. Students will then be able to leverage CI/CD to remediate the issues in their meme factories.


On-site classes in the US & Canada are billed at a flat rate. Classes can support up to 15 students. PrimeHarbor will provide each student with their own Fooli lab environment. The hosting company only needs to provide a projector, wireless connectivity, and HTTP/HTTPS and SSH access to the internet.


This class leverages Splunk enterprise as the Fooli SEIM. All PrimeHarbor classes can be customized to reflect your company’s tools and processes. Contact us for more information!