Level 300: Incident Response Playbook with Jupyter - AWS IAM
- Ben Potter, Security Lead, Well-Architected
- Byron Pogson, Solutions Architect, AWS
Table of Contents
1.1 Install Python and Modules
Python 3 and a number of Python modules are required.
After installing Python, install the following packages by executing the following command in your command line or terminal:
pip install boto3 pandas jupyter
1.2 Install the AWS CLI
AWS CLI is not directly used for this lab, however it makes configuration of the AWS IAM credentials easier, and is useful for testing and general use.
- Install AWS CLI:
- Install the AWS CLI on macOS
- Install the AWS CLI on Linux
- Install the AWS CLI on Windows
- In your command line or terminal run
aws configureto configure your credentials. Note the user will require access to the IAM service.
A best practice is to enforce the use of MFA, so if you misplace your AWS Management console password and/or access/secret key, there is nothing anyone can do without your MFA credentials. You can follow the instructions here to configure AWS CLI to assume a role with MFA enforced.
2.1 Download Playbook and Helper
2.2 Run the Playbook
- In your command line or terminal change directory to where you downloaded or cloned the notebook and helper.
jupyter notebookto start the local webserver, and connect to the url provided in the console e.g. The Jupyter Notebook is running at:, a web browser may automatically open to the correct url.
- Click on the Incident_Response_Playbook_AWS_IAM.ipynb file to execute the playbook.
- Follow the instructions in the playbook.
- Analyze logs centrally Amazon CloudWatch is used to monitor, store, and access your log files. You can use AWS CloudWatch to analyze your logs centrally.
- Automate alerting on key indicators AWS CloudTrail, AWS Config,Amazon GuardDuty and Amazon VPC Flow Logs provide insights into your environment.
- Implement new security services and features: New features such as Amazon VPC Flow Logs have been adopted.
- Implement managed services: Managed services are utilized to increase your visibility and control of your environment.
- Identify Tooling Using the AWS Management Console and/or AWS CLI tools with prepared scripts will assist in your investigations.
References & useful resources
- AWS CLI Command Reference
- AWS Identity and Access Management User Guide
- CloudWatch Logs Insights Query Syntax
Licensed under the Apache 2.0 and MITnoAttr License.
Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.