← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 10 · Multi-Cloud Security Curriculum

Incident Response & Forensics in Cloud

~60 minutes covering cloud IR challenges, NIST 800-61 adapted for cloud, CloudTrail evidence analysis, forensic evidence preservation, and regulatory notification requirements.

20
Interview Q&As
25
MCQ Questions
4
Simulations
60
Minutes

Topics Covered

#TopicTime
1Core Concepts: Cloud IR challenges, NIST phases, forensic tools10 min
220 Interview Q&As20 min
325 MCQs15 min
4Sim: IR Phase Action Router4 min
5Sim: CloudTrail Evidence Identifier4 min
6Sim: Breach Response Planner4 min
7Sim: Regulatory Notification Timer3 min
⚠️ Cloud IR is fundamentally different from traditional IR. The #1 mistake: terminating a compromised EC2 instance before taking an EBS snapshot — you lose all forensic evidence. Always isolate first, preserve second, eradicate third.
Core Concepts · ~10 min

Cloud IR & Forensics Fundamentals

Cloud IR Challenges vs Traditional IR

ChallengeTraditional IRCloud IR
Physical accessPull hard drive, image on-siteNo physical access — use API/EBS snapshot
Ephemeral resourcesServers are persistentAuto-scaled instances may terminate automatically, destroying evidence
IsolationUnplug network cableApply quarantine Security Group (block all inbound/outbound)
Memory captureRAM dump locallyAWS SSM Run Command to dump memory; Azure Runbook
Log sourcesWindows Event Log, SyslogCloudTrail, VPC Flow Logs, GuardDuty, Sentinel, NSG Logs
Multi-tenancyFull hardware visibilityLimited visibility below hypervisor (CSP manages hardware)
JurisdictionSingle data centreData may span multiple regions/countries — legal complexity

NIST IR Lifecycle Adapted for Cloud

1. Preparation
  • IR playbooks per cloud provider
  • Pre-authorized forensic IAM role
  • CSIRT team trained on cloud tools
  • CloudTrail enabled all regions
  • Forensic AMIs pre-built
2. Detection & Analysis
  • GuardDuty / Sentinel alert
  • CloudTrail analysis
  • SIEM correlation
  • Triage: scope & severity
  • Timeline reconstruction
3. Containment
  • Quarantine SG (block all traffic)
  • Disable IAM key/user
  • Revoke STS tokens
  • EBS snapshot BEFORE termination
  • Isolate VPC (remove routes)
4. Eradication
  • Remove backdoor IAM users
  • Patch vulnerability / attack vector
  • Remove malware/persistence
  • Close exposed ports/buckets
5. Recovery
  • Restore from clean AMI/snapshot
  • Rotate ALL credentials
  • Validate clean state
  • Monitor closely post-restore
6. Post-Incident
  • Lessons-learned report
  • Timeline reconstruction
  • Regulatory notification
  • Update playbooks/controls

Evidence Preservation in Cloud

Evidence TypeAWS MethodPriority
Memory (RAM)SSM Run Command → run memory acquisition tool (LiME)Highest — volatile
Running processes / network connectionsSSM Run Command: ps aux, netstatHigh — volatile
Disk imageEBS Snapshot (API call: CreateSnapshot) — point-in-timeHigh — do BEFORE termination
API call logsCloudTrail logs (S3 bucket) — preserve to immutable bucketMedium — but may have 90-day limit
VPC network trafficVPC Flow Logs, Traffic MirroringMedium
Application logsCloudWatch Logs — export to S3 with immutabilityMedium
⚠️ Order of operations: ISOLATE → SNAPSHOT → INVESTIGATE → ERADICATE. Never terminate first — you destroy all evidence.

Key Forensic Tools for Cloud

ToolCloud ProviderPurpose
AWS DetectiveAWSGraph-based investigation linking GuardDuty findings, CloudTrail events, VPC Flow Logs — visualizes entity relationships and timelines
Microsoft Sentinel NotebooksAzureJupyter notebooks for cloud forensic investigation — ML-powered investigation workflows
GCP ChronicleGCPSecurity analytics platform with retroactive threat hunting across GCP logs
CloudTrail LakeAWSSQL-queryable audit log lake — query 7 years of API history
KAPE (cloud adapted)Multi-cloudRapid triage and artifact collection from cloud-based endpoints

Regulatory Notification Timelines

RegulationNotify WhomDeadlineNotes
GDPRSupervisory Authority (e.g., ICO in UK)72 hoursPersonal data of EU residents; also notify affected individuals "without undue delay" if high risk
HIPAAHHS Office for Civil Rights + affected individuals60 daysPHI breach; >500 individuals also requires media notice in affected state
PCI-DSSCard brands (Visa, Mastercard) + acquiring bankImmediatelyUpon reasonable suspicion; also notify affected cardholders
India DPDP ActData Protection Board of IndiaASAP (rules pending)Digital Personal Data Protection Act 2023; breach notification rules being finalized
Interview Q&A · ~20 min · 20 Questions

Interview Questions & Model Answers

1What are the unique challenges of incident response in cloud environments?Medium
Cloud IR differs from traditional IR in several key ways:
  • No physical access: Cannot pull a hard drive; must use API calls (EBS snapshot, SSM Run Command)
  • Ephemeral resources: Auto-scaled instances may terminate automatically before evidence is collected
  • Shared infrastructure: CSP manages hypervisor/hardware — no visibility below the virtualization layer
  • Multi-region/jurisdiction: Data may be stored in multiple countries with different legal frameworks
  • Log availability windows: CloudTrail defaults to 90 days; not configuring longer retention causes evidence loss
  • Dynamic perimeter: No single network boundary — attackers may pivot across cloud accounts, regions, services
  • Identity complexity: IAM roles, temporary credentials, cross-account access make attacker path reconstruction difficult
💡 Lead your answer with the ephemeral resource problem — it's cloud-unique and shows depth.
2How do you contain a compromised EC2 instance without destroying evidence?Hard
Containment sequence (preserve → isolate — in that order):
  1. Take EBS snapshot: aws ec2 create-snapshot --volume-id vol-xxx — point-in-time disk copy before any changes
  2. Capture memory (optional, if time allows): Use AWS SSM Run Command to execute memory acquisition tool (LiME, AvDump)
  3. Apply quarantine Security Group: Create a new SG with no inbound or outbound rules (block all), attach to the instance
  4. Disable IAM role (if instance has one): Detach or restrict the instance profile's permissions
  5. Preserve network flow logs: Ensure VPC Flow Logs are enabled and being captured to S3
  6. DO NOT terminate: Termination destroys instance store volumes and makes memory evidence unrecoverable
💡 The quarantine SG approach is equivalent to unplugging the network cable in traditional IR, but without terminating the OS or losing memory.
3How do you respond to a compromised IAM access key?Hard
Immediate response (first 15 minutes):
  1. Disable the access key immediately: aws iam update-access-key --access-key-id AKIA... --status Inactive — disabling is safer than deleting (preserves for investigation)
  2. Revoke active STS sessions: Attach an IAM policy to the user/role that explicitly denies all actions with a condition (aws:TokenIssueTime) to invalidate tokens issued before now
  3. Review CloudTrail: Query all actions taken with the compromised key — what was accessed, created, deleted?
  4. Check for persistence: Look for new IAM users created, new keys created, new roles, Lambda functions, EC2 instances, S3 bucket policies modified
  5. Determine blast radius: What permissions did this key have? What data could have been accessed?
  6. Generate new credentials for legitimate users once old key is confirmed disabled
  7. Notify: Legal, compliance, management — determine if reportable breach occurred
💡 The most common post-compromise action by attackers: CreateUser, CreateAccessKey, AttachUserPolicy — check these in CloudTrail first.
4What logs should you immediately preserve when a cloud breach is detected?Medium
Priority order of log preservation (most time-sensitive first):
  • CloudTrail management events: API call history — who did what, when, from where. Copy to a dedicated forensic S3 bucket with Object Lock (WORM)
  • CloudTrail data events: S3 object-level access, Lambda invocations — may need to be enabled if not already
  • VPC Flow Logs: Network traffic metadata (src IP, dst IP, port, protocol, accept/reject)
  • CloudWatch Logs / Application logs: Export to S3 immediately if rotation window is short
  • GuardDuty findings: Export finding history; GuardDuty findings expire after 90 days
  • IAM Access Analyzer findings: Any external access detected
  • EBS snapshots: Disk state of affected instances before termination
Enable CloudTrail log file validation (SHA-256 hashing) to ensure integrity.
💡 Enable Object Lock (WORM) on your forensic S3 bucket immediately — this makes logs tamper-proof and legally defensible.
5What is AWS Detective and how does it help with IR?Medium
AWS Detective is a managed security investigation service that automatically collects and processes log data (GuardDuty findings, CloudTrail, VPC Flow Logs) and builds a graph model of entity relationships and activity patterns.

Key capabilities:
  • Entity profiles: Shows all activity for an IAM user, IP address, EC2 instance, or S3 bucket — including historical baseline comparisons
  • Finding groups: Automatically clusters related findings into potential attack chains
  • Visualizations: Interactive graphs showing relationships (IP → IAM role → EC2 → S3) that would take hours to manually correlate
  • Time-range investigation: Replay activity during the incident window
Workflow: GuardDuty alerts → click "Investigate in Detective" → immediate behavioral context without manual log querying.
💡 AWS Detective reduces MTTR by allowing analysts to investigate context in minutes rather than hours of CloudTrail SQL queries. Mention it whenever AWS IR is discussed.
6How does cloud forensics differ from traditional digital forensics?Medium
AspectTraditional ForensicsCloud Forensics
Evidence acquisitionPhysical disk imaging (dd, FTK)EBS/disk snapshots via API; no direct hardware access
Memory captureDirect RAM dumpSSM Run Command; limited — hypervisor layer not accessible
Chain of custodyPhysical evidence bagDigital chain: snapshot metadata, IAM activity logs, hash verification
VolatilityRAM → Disk → BackupRAM → Instance store → EBS → S3 → CloudTrail
JurisdictionLocal courtsCross-border legal frameworks (MLAT, EU-US data transfers)
IsolationPull network cableModify Security Group / Network ACL / routing table
💡 Cloud forensics is still maturing — CSA has a cloud forensics working group; NIST SP 800-201 is the emerging cloud forensics guidance document.
7What is the chain of custody in cloud forensics?Hard
Chain of custody in cloud forensics is the documented trail proving that evidence has not been tampered with from collection through legal proceedings.

Cloud-specific implementation:
  • EBS Snapshots: Record snapshot ID, volume ID, timestamp, account ID, and MD5/SHA hash of snapshot contents
  • CloudTrail log integrity: Enable log file validation — each log file gets a SHA-256 digest signed by AWS. AWS provides an API to verify integrity
  • S3 Object Lock (WORM): Prevents log files from being modified or deleted during the investigation window
  • Access controls: Only the forensic IAM role can access evidence; all access logged in CloudTrail
  • Documentation: Record who collected what, when, using which API call, what hash values were verified
💡 In court or regulatory proceedings, you must prove evidence integrity. Cloud enables this via cryptographic log validation rather than physical seals.
8How do you investigate a suspected S3 data exfiltration?Hard
Investigation workflow:
  1. Enable S3 data events in CloudTrail (if not already) — GetObject, PutObject, DeleteObject calls are not logged by default
  2. Query CloudTrail: Filter for GetObject events on the target bucket → look for unusual volumes, external IP addresses, unusual user agents (curl, boto3 from unexpected source)
  3. Check S3 Server Access Logs: Provide requester IP, HTTP status, bytes transferred — useful if CloudTrail data events weren't enabled
  4. Identify the source: Was it an IAM user, role, federated identity? Cross-account access? Public access?
  5. Check GuardDuty: S3-related findings: S3/MaliciousIPCaller, S3/PolicyGrantedPublicAccess, S3/DataExfiltration
  6. Determine what was accessed: Object names, sizes, timestamps — calculate total data volume exfiltrated
  7. Preserve evidence: Export CloudTrail logs to forensic bucket with Object Lock
💡 S3 data events must be explicitly enabled — many organizations only enable management events. This is a critical IR preparation gap to highlight in interviews.
9What is a quarantine Security Group in AWS IR?Easy
A quarantine Security Group is a pre-created AWS Security Group with no inbound rules and no outbound rules — effectively blocking all network traffic to/from an EC2 instance while leaving it running for forensic investigation.

IR procedure:
  1. Pre-create a quarantine SG named sg-quarantine-YYYYMMDD with no rules
  2. Take EBS snapshot first
  3. Detach all existing Security Groups from the compromised instance
  4. Attach the quarantine SG only
  5. Instance remains running — memory preserved, process list accessible via SSM — but all network access blocked
This is the cloud equivalent of pulling a server's network cable while keeping it powered on for memory acquisition.
💡 Pre-create the quarantine SG before any incident — it's part of Preparation. Having it ready reduces MTTR during an actual incident.
10How do you take a forensic snapshot of an EBS volume?Easy
Steps for forensic EBS snapshot:
  1. Identify the volume ID of the compromised instance: aws ec2 describe-instances --instance-ids i-xxx
  2. Create snapshot: aws ec2 create-snapshot --volume-id vol-xxx --description "Forensic-IR-2026-07-15"
  3. Record the snapshot ID, creation time, and verify it is in the same region/account
  4. Share snapshot with forensic account (separate AWS account for investigation): aws ec2 modify-snapshot-attribute --snapshot-id snap-xxx --attribute createVolumePermission --operation-type add --user-ids FORENSIC_ACCOUNT_ID
  5. In the forensic account, create a new EBS volume from the snapshot
  6. Mount the volume READ-ONLY to a forensic EC2 instance (to prevent modifications)
  7. Hash the volume: md5sum /dev/xvdf — record hash for chain of custody
💡 Snapshots are block-level, point-in-time copies. They preserve everything including deleted file remnants (until overwritten) — equivalent to a forensic disk image.
11What CloudTrail events indicate an IAM credential compromise?Hard
High-confidence indicators:
  • ConsoleLoginSuccess from an unknown/foreign IP, TOR exit node, or at unusual hours
  • CreateLoginProfile — attacker adding console access to an API-only user
  • UpdateLoginProfile — changing password for a compromised account
  • CreateAccessKey — creating new API keys for persistence
  • AttachUserPolicy with AdministratorAccess — privilege escalation
  • CreateUser + AttachUserPolicy — creating backdoor admin account
  • StopLogging on a CloudTrail trail — attacker attempting to cover tracks
  • DeleteTrail or UpdateTrail — disabling or redirecting logging
  • GetSecretValue from unexpected IP — credential harvesting from Secrets Manager
💡 Build CloudWatch Alarms or Sentinel analytic rules for each of these events — especially StopLogging and CreateLoginProfile. These are in the CIS AWS Benchmark Level 1 controls.
12What is the NIST SP 800-61 IR framework and how is it adapted for cloud?Medium
NIST SP 800-61 (Computer Security Incident Handling Guide) defines four phases:
  1. Preparation: Policies, tools, team training, contact lists
  2. Detection & Analysis: Alert triage, scope determination, severity classification
  3. Containment, Eradication & Recovery: Stop spread, remove cause, restore operations
  4. Post-Incident Activity: Lessons learned, process improvement, reporting
Cloud adaptations:
  • Preparation: Pre-create quarantine SGs, forensic accounts, IR runbooks per cloud service (EC2, S3, Lambda, IAM)
  • Detection: CloudTrail + GuardDuty + SIEM replace on-prem log sources
  • Containment: API-driven isolation (SG, IAM disable, STS revocation) replace physical isolation
  • Eradication: Immutable infrastructure — deploy clean AMI rather than cleaning infected OS
💡 Also reference NIST SP 800-61 Rev 3 (2024) which explicitly addresses cloud environments.
13What are the regulatory notification timelines for a data breach?Medium
  • GDPR: 72 hours to supervisory authority (ICO in UK, CNIL in France); individuals notified "without undue delay" if high risk
  • HIPAA Breach Notification Rule: 60 days to HHS; media notice if >500 individuals in a state; individuals notified within 60 days
  • PCI-DSS: Immediately upon reasonable suspicion to card brands (Visa, Mastercard) and acquiring bank
  • India DPDP Act 2023: Notification rules being finalized — breach notification to Data Protection Board
  • US State laws (e.g., California CCPA): "Expedient" notification, typically interpreted as 30–45 days
💡 The 72-hour GDPR clock starts from when the organization becomes aware, not from when the breach occurred. Document discovery timestamps precisely.
14How do you collect volatile evidence from a running EC2 instance?Hard
Using AWS Systems Manager (SSM) Run Command (no need to SSH, works even with quarantine SG if SSM endpoint accessible):

Volatile evidence collection order (most to least volatile):
  1. Running processes: ps auxww, top -bn1
  2. Network connections: netstat -anp, ss -anp
  3. Open files: lsof
  4. Logged-in users: who, w, last
  5. Environment variables: env
  6. Bash history: cat ~/.bash_history, /var/log/auth.log
  7. Memory dump (if tool installed): LiME module for Linux kernel memory acquisition
Store output to S3 via SSM Run Command with --output-s3-bucket-name parameter.
💡 SSM Run Command is key for cloud-native forensic collection — it doesn't require SSH access and works through the EC2 control plane. Pre-install SSM Agent on all instances.
15What is an IR runbook for cloud?Easy
An IR runbook (or playbook) is a documented, step-by-step procedure for responding to a specific type of incident. Cloud IR runbooks are service-specific.

Example runbooks by scenario:
  • Compromised IAM access key: Disable key → audit CloudTrail → revoke STS → assess blast radius → notify
  • Public S3 bucket with PII: Block public access → audit access logs → notify DPO → assess GDPR obligation
  • Ransomware on EC2: Quarantine SG → snapshot → identify IOC → restore from AMI → patch
  • GuardDuty CryptoCurrency finding: Isolate instance → identify C2 destination → block in SG → terminate and redeploy
Runbooks should include: detection signals, severity, escalation path, specific AWS CLI/API commands, evidence preservation steps, notification requirements.
💡 AWS provides sample IR runbooks in their Security Incident Response Guide. Reference this in interviews for credibility.
16How would you investigate a Kubernetes cluster breach?Hard
K8s breach investigation sources:
  • K8s Audit Logs: API server logs — all kubectl/API calls with user, timestamp, resource, verb. Must be enabled explicitly (disabled by default in some distributions)
  • Falco alerts: Runtime security tool using eBPF — flags suspicious syscalls (spawning shell in container, reading /etc/shadow, writing to /proc)
  • Container runtime logs: Docker/containerd logs; inspect with kubectl logs pod-name
  • Network policies: Review for unauthorized east-west traffic between pods
  • etcd: K8s Secrets stored in etcd — check if encrypted at rest; look for unauthorized reads
Common breach scenarios:
  • Compromised service account with cluster-admin binding → kubectl get clusterrolebindings
  • Container escape via privileged pod → check for host path mounts, privileged: true
  • Malicious admission webhook → intercepts all pod creations
💡 K8s audit logs are critical but often not enabled — mention this as an IR preparedness gap. EKS Audit Logs sent to CloudWatch; AKS to Azure Monitor.
17What is a forensic account in AWS?Medium
A forensic account is a dedicated, isolated AWS account used exclusively for incident response investigations. It is pre-provisioned with:
  • Forensic IAM role: Minimal permissions — accept EBS snapshot sharing, create volumes, launch forensic EC2 instances, read CloudTrail from the forensic S3 bucket
  • Forensic EC2 instances: Pre-built with forensic tools (Autopsy, Volatility, Sleuth Kit, disk analysis tools)
  • Immutable S3 bucket: Object Lock enabled for evidence preservation
  • Cross-account trust: Allows sharing EBS snapshots from production accounts without compromising production environment
  • Isolated networking: No peering to production VPCs — forensic work done in complete isolation
Benefits: Maintains integrity of forensic environment, prevents contamination of production, provides clean evidence handling.
💡 AWS Organizations makes this easy — include the forensic account in your organization but with an SCP preventing any changes to forensic controls.
18How does Azure Sentinel support cloud incident investigation?Medium
Microsoft Sentinel provides several IR capabilities:
  • Incidents: Correlates alerts into incidents with full entity context (user, IP, device, cloud resource)
  • Investigation graph: Visual interactive graph showing entity relationships and timeline — similar to AWS Detective
  • Jupyter Notebooks: Pre-built IR notebooks (MSTIC provides investigation playbooks) that combine KQL queries with Python ML analysis
  • Playbooks (Logic Apps): Automated SOAR responses triggered on incidents — disable user in Entra ID, block IP in firewall, create Jira ticket
  • Threat Intelligence: STIX/TAXII feed integration; Microsoft's own threat intel; TI-based correlation rules
  • UEBA: ML-built baselines per user and entity; anomaly scoring integrated into investigation
  • Multi-cloud: Ingests AWS CloudTrail, GCP logs, Salesforce, GitHub — unified investigation across cloud providers
💡 Sentinel's investigation graph is particularly useful for Azure-heavy environments — it automatically links Entra ID sign-ins to Azure resource activity to alert findings.
19What is the Post-Incident Activity phase and what should it produce?Easy
Post-Incident Activity (lessons learned) is the final NIST IR phase, conducted within 2 weeks of incident resolution.

Key outputs:
  • Lessons-Learned Report: What happened? What was the root cause? How was it detected? How was it contained? What was the impact? What could have been done faster?
  • Timeline reconstruction: Precise chronology from initial compromise to containment — measured in minutes/hours
  • Metrics update: Updated MTTD, MTTR; number of records affected; cost estimate
  • Control improvements: What security controls failed or were missing? New detections to add to SIEM?
  • Playbook updates: Update IR runbooks based on lessons learned
  • Regulatory notification: Submit breach notification to relevant authorities (GDPR 72hr, HIPAA 60d)
  • Executive summary: Non-technical summary for board/management
💡 The lessons-learned meeting should be blameless — focus on process improvement, not individual blame. This encourages honest reporting and systemic fixes.
20How do you reconstruct an attacker's timeline from CloudTrail logs?Hard
CloudTrail timeline reconstruction methodology:
  1. Identify the anchor event: Start from the GuardDuty finding or first suspicious event — note the eventTime and source IP/identity
  2. Pivot on the identity: Query CloudTrail for all events by the compromised user/role ARN in the time window surrounding the anchor
  3. Pivot on the source IP: Query for all events from the attacker's source IP(s) — may reveal lateral movement or reconnaissance
  4. Expand time window: Look backwards for initial access; look forward for post-exploitation actions
  5. Map to attack phases: Plot events against MITRE ATT&CK tactics — initial access → execution → persistence → privilege escalation → lateral movement → exfiltration
  6. Use AWS Detective: Automates relationship mapping and timeline visualization
  7. CloudTrail Lake SQL: Write SQL queries for complex correlations across multiple API event types
💡 CloudTrail uses UTC timestamps. Normalize all timestamps before building a timeline. Store findings in a shared spreadsheet with columns: Time (UTC), Event, Service, Actor, Source IP, Assessment.

MCQ Quiz · ~15 min · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1 · IR Phases

IR Phase Action Router

Assign each IR action to the correct NIST incident response phase.

Simulation 2 · CloudTrail Analysis

CloudTrail Evidence Identifier

Read each CloudTrail event and identify what attacker action it indicates.

Simulation 3 · Response Planning

Breach Response Planner

For each breach scenario, select the 3 correct immediate response steps. Incorrect steps may cause evidence loss or escalate the incident.

Simulation 4 · Regulatory Compliance

Regulatory Notification Timer

Select the correct breach notification deadline for each scenario.

🎉 Module 10 Complete! You've covered cloud IR lifecycle, CloudTrail forensics, evidence preservation, and regulatory notification requirements.