Documentation & Tools →
Sign In

AWS Detection and Incident Response

Investigate and Contain Attacks in AWS

Take an AWS account you have never seen, pull the right logs, and reconstruct what an attacker did from first access to impact. Built on the evidence AWS actually records, with real query output on the page.

Preview Course See Pricing
SEC404 | Premium tier | 12 modules across 6 phases | 36–40 hours at your own pace | 40 CPE credits | Free preview, no account needed | Updated June 2026
Course Agenda View all 1 modules

Course overview

AWS Detection and Incident Response teaches you to investigate and respond to attacks in an AWS environment. In AWS there is no disk to image and no packet to capture: almost every action is an API call, and the evidence is the record of those calls in CloudTrail, GuardDuty, VPC Flow Logs, and AWS Config. You learn to read that evidence, query it at scale, and reconstruct an intrusion as a timeline you can defend.

Every module investigates the same fictional company, Northgate Engineering, across its multi-account AWS Organization. You follow one attack chain through the course the way an attacker moves through an environment: identity first, then privilege escalation and persistence, then data and compute, then evasion, and finally the full response. The course runs against a prepared dataset with real query output on the page, so you can practice the entire method without an AWS account. A lab pack stands the environment up in your own account if you want to generate the evidence yourself.

Who this course is for

Anyone who wants to learn AWS detection and incident response. No minimum experience required. Every concept is explained at first use, and experienced practitioners can move quickly through what they already know using the module structure.

SOC analysts moving from on-premises or Microsoft 365 into cloud investigation
Incident responders who keep being handed AWS accounts they were not trained for
Detection engineers who need to write rules against CloudTrail and GuardDuty
Cloud and platform engineers who want the attacker's view of the environment they build

What you'll learn

Read a raw CloudTrail record and state who did what, from where, with which credentials, and whether it succeeded
Query AWS evidence at scale with SQL over CloudTrail, the same workflow you would run in Amazon Athena
Detect credential compromise: leaked-key use, anomalous AssumeRole, new-region and new-IP activity, and console sign-ins
Trace privilege escalation, IAM persistence, and Lambda and EventBridge backdoors that survive a credential reset
Investigate S3 exposure and exfiltration, the SSRF-to-IMDS credential theft pattern, and defense evasion against CloudTrail and GuardDuty
Contain an AWS incident without destroying evidence, preserve what matters, and write a report a colleague or regulator can follow

Key course takeaways

A repeatable method for investigating an unfamiliar AWS account under pressure
A working library of investigation queries for every stage of a cloud intrusion
The judgment to triage a GuardDuty finding as a lead rather than a conclusion
The discipline to separate what the evidence proves from what it only suggests
A containment runbook that closes all of an attacker's footholds across keys, sessions, roles, and backdoors

Things you need to know

What are the prerequisites?

None. The course teaches AWS detection and response from first principles. A working knowledge of security operations helps you move faster, and familiarity with IAM or SQL is useful, but neither is required. Every service, field, and query is explained at first use.

What tools does this course use?

SQL over CloudTrail for investigation, the same approach you would run in Amazon Athena against a real account. The evidence comes from CloudTrail, GuardDuty, VPC Flow Logs, AWS Config, and S3 access logs. The course uses a built-in query surface so you can run real queries against the prepared evidence with nothing to install.

Do I need an AWS account?

No. Every investigation runs against a prepared dataset with real query output on the page, so the full method works without an account. If you want to generate the evidence yourself, the lab pack builds the Northgate environment in your own account with infrastructure-as-code and runs the attacks for you. The running cost is small, on the order of a few dollars while the lab is up, and the pack includes a teardown step.

How will this course benefit your career?

Organizations running on AWS need people who can investigate a compromise in the cloud, determine what an attacker reached, contain them, and produce a defensible report. That skill is in short supply, because most security training stops at architecture and never sits the analyst down in front of the logs. This course builds the investigative capability end to end.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy the investigation queries, detection logic, and runbooks in your production environment. You may not redistribute course content or share account credentials.

Fictional environment: All scenarios use Northgate Engineering (NE) and its AWS Organization. Account IDs, resources, and identities are fictional. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: June 2026

June 2026, v1.0: Course launch. 12 modules across 6 phases, AWS-native throughout. SQL-over-CloudTrail investigation against a prepared multi-account corpus, with the AWS Query Lab for free-run practice.

This course is actively maintained.