Containment Strategy

Can AWS Security Incident Response identify the scope of the security event?

If yes, identify all the resources (users, systems, resources).
If no, investigate in parallel with executing the next step on identified resources.

Can the resource be isolated?

If yes, then proceed to isolate the affected resources.
If no, then work with system owners and managers to determine further actions necessary to contain the problem.

Are all affected resources isolated from non-affected resources?

If yes, then continue to the next step.
If no, then continue to isolate affected resources to complete short-term containment and prevent the event from escalating further.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Staged Containment Approach

System Backup