EC2

Capture Metadata , enable termination protection, Isolate (replace SG - no outbound traffic ) , disable ASG / ELB , snapshot EBS for deep analysis (offline ) create another EC2 (online)

• can automate isolation using CloudWatch and Lambda
• can automate memory capture using SSM Run Command

S3

Identify the bucket using GuardDuty

identify the source (e.g IAM role) and API using CloudTrail and Detective

(Block public access, Bucket Polices user Polices, VPC Endpoint, Pre-signed URL, S3 ACLs)

ECS

Identify the Cluster using GuardDuty

Isolate by Deny all ingress/egress traffic to the task using new Security Group

RDS

Identify the DB instance using GuardDuty

restrict network access (Security Groups & NACLs) , rotate passwords using Secrets Manager

IAM Users & Roles

Identify the User using GuardDuty

rotate password, invalidate using STS time condition by attaching an explicit Deny Policy to the User , check the CloudTrail logs

Account

Disable & Rotate KMS Access Keys , IAM user credentials , EC2 Keys

Check the CloudTrail logs