Final StretchOrdered learning track

Incident Manager and Operational Response

Learn AWS Security, Monitoring and Management - Part 067

Incident Manager and operational response sebagai sistem respons produksi: response plan, kontak, eskalasi, runbook, evidence, timeline, post-incident learning, dan integrasi CloudWatch/EventBridge/Security Hub.

13 min read2521 words
PrevNext
Lesson 6772 lesson track60–72 Final Stretch
#aws#security#monitoring#management+3 more

Part 067 — Incident Manager and Operational Response

Di bagian sebelumnya kita sudah membangun fleet management plane: Systems Manager, Session Manager, Patch Manager, Inventory, State Manager, dan compliance loop. Semua itu penting, tetapi belum menjawab pertanyaan paling brutal dalam operasi produksi:

Ketika sistem rusak, siapa yang tahu, siapa yang mengambil alih, apa langkah pertama, apa batas wewenangnya, bagaimana bukti dikumpulkan, dan bagaimana kita mencegah insiden yang sama berulang?

Itulah peran incident management.

Bukan sekadar Slack ramai. Bukan sekadar alarm berbunyi. Bukan sekadar on-call bangun malam.

Incident management adalah state machine operasional yang mengubah sinyal rusak menjadi koordinasi, mitigasi, recovery, evidence, dan perbaikan sistemik.

AWS Systems Manager Incident Manager menyediakan primitive untuk itu: response plan, incident record, contacts, engagement plan, escalation plan, runbook, dan integrasi dengan Amazon CloudWatch serta Amazon EventBridge.

Referensi resmi AWS yang relevan:


1. Mental Model: Incident Response Bukan Ticketing

Ticketing menjawab:

Ada pekerjaan apa?
Siapa yang mengerjakan?
Statusnya apa?

Incident response menjawab:

Apa yang sedang rusak?
Seberapa besar dampaknya?
Apakah user terdampak?
Apakah data/security terdampak?
Apa mitigasi tercepat?
Siapa incident commander?
Siapa subject matter expert?
Apa yang sudah dicoba?
Apa bukti perubahan?
Kapan dinyatakan resolved?
Apa perbaikan permanennya?

Incident response bukan daftar tugas. Ia adalah kontrol produksi saat sistem berada di luar kondisi normal.

Cara berpikir yang benar:

alert != incident
finding != incident
error != incident
anomaly != incident

incident = kondisi operasional/security yang membutuhkan koordinasi terstruktur karena dampak, risiko, atau ketidakpastian melebihi kapasitas respons normal satu engineer

Contoh alert yang belum tentu incident:

  • CPU satu instance naik 85% selama 3 menit.
  • Satu Lambda invocation gagal karena input buruk.
  • Satu vulnerability low severity ditemukan.
  • Satu user salah password berkali-kali.

Contoh incident:

  • Checkout gagal untuk 30% user.
  • Latency API critical melewati SLO selama 20 menit.
  • GuardDuty menemukan credential exfiltration signal.
  • Public S3 bucket berisi data confidential ditemukan.
  • KMS key critical dijadwalkan deletion.
  • Patch emergency tidak bisa diterapkan pada production fleet.

Incident response dimulai ketika organisasi butuh mode koordinasi, bukan hanya debugging.


2. Incident sebagai State Machine

Incident yang sehat harus punya state eksplisit. Tanpa state, tim akan masuk ke mode chaos: orang berbeda mengejar asumsi berbeda, aksi remediation saling bertabrakan, dan evidence hilang.

Model minimal:

Yang penting bukan nama state-nya. Yang penting setiap state menjawab:

StatePertanyaan Operasional
Signal receivedSinyal apa yang memicu investigasi?
TriagedApakah ini noise, degraded service, security event, atau major incident?
DeclaredApa severity dan scope awal?
Commander assignedSiapa yang berwenang mengatur respons?
InvestigationHipotesis apa yang sedang diuji?
ContainmentApa yang harus dihentikan agar kerusakan tidak meluas?
MitigationApa langkah tercepat mengurangi dampak user/bisnis?
RecoveryBagaimana mengembalikan sistem ke kondisi aman/stabil?
MonitoringBukti apa yang menunjukkan recovery benar?
ResolvedApa definisi selesai?
Post-incidentApa penyebab sistemik dan perbaikan permanen?

Sistem incident yang buruk biasanya tidak gagal karena kekurangan tool. Ia gagal karena state-nya kabur.


3. Primitive Incident Manager

Incident Manager menyediakan beberapa primitive utama.

PrimitiveFungsi
Response planTemplate respons untuk kelas incident tertentu.
Incident recordRekaman incident aktual.
ContactResponder yang dapat dihubungi.
Contact channelEmail, SMS, voice, atau channel lain sesuai konfigurasi region/fitur.
Engagement planUrutan dan waktu menghubungi contact.
Escalation planRantai eskalasi jika responder awal tidak acknowledge.
RunbookAutomation atau prosedur yang dijalankan saat incident.
Chat/notification integrationKoordinasi responder melalui kanal operasional.

Response plan adalah unit desain paling penting.

Jangan membuat satu response plan generik bernama Production Incident. Itu terlalu luas.

Lebih baik:

response-plan-p1-customer-facing-availability
response-plan-p1-security-credential-compromise
response-plan-p2-payment-degradation
response-plan-p2-data-pipeline-delay
response-plan-p1-backup-restore-failure
response-plan-p1-audit-logging-disabled

Response plan harus merepresentasikan kelas insiden, bukan organisasi chart.


4. Anatomy Response Plan

Response plan minimal harus mengikat lima hal:

trigger class
impact default
responder set
runbook
communication/evidence path

Diagram:

Response plan yang bagus memiliki:

KomponenContoh
Incident title templateP1 Checkout Availability Degradation
Impact/severity defaultImpact 1 untuk customer-facing outage
SummaryTriggered when checkout success rate drops below SLO burn threshold.
ContactsPrimary on-call, secondary, platform SRE, security responder bila perlu.
EscalationPrimary 5 menit, secondary 10 menit, manager 20 menit.
RunbookDiagnose checkout dependency, recent deployment, payment provider, DB saturation.
Tagsservice=checkout, tier=critical, environment=prod.
AutomationSnapshot dashboard links, run diagnostic queries, attach evidence.

Response plan yang buruk:

Name: Critical Incident
Contacts: all-engineers@example.com
Runbook: check logs
Severity: high

Itu bukan response plan. Itu broadcast panic.


5. Severity dan Impact Model

Severity tidak boleh ditentukan dari emosi. Severity harus ditentukan dari dampak.

Contoh model:

SeverityDampakTarget ResponseContoh
SEV-1User/customer critical, data/security critical, revenue/regulatory impact besar5 menitcredential compromise, total outage, data exposure
SEV-2Degradasi besar, workaround terbatas15 menitcheckout error 20%, queue stuck, read-only mode
SEV-3Degradasi terbatas, sebagian user/service1 jamendpoint lambat, batch tertunda
SEV-4Minor, no immediate customer impactbusiness daynon-critical alarm, low-risk drift

Security severity perlu model tambahan karena dampaknya sering belum terlihat.

Contoh security incident severity:

SeverityKondisi
SEC-1Active compromise, data exfiltration, root/member account compromise, audit tampering.
SEC-2Confirmed high-risk exposure, leaked credential with access, public confidential data exposure.
SEC-3Suspicious behavior but not confirmed, exploitable vulnerability on critical asset.
SEC-4Policy violation, low-risk misconfiguration, stale access.

Rule penting:

Ketika uncertainty tinggi dan blast radius belum jelas, naikkan severity sementara.
Turunkan setelah bukti cukup.

Salah satu kegagalan klasik incident response adalah terlalu lama memperdebatkan severity saat containment seharusnya sudah berjalan.


6. Incident Commander Model

Pada insiden besar, orang paling senior secara teknis belum tentu harus menjadi incident commander.

Incident commander bertugas:

menjaga timeline
menetapkan prioritas
mengatur komunikasi
mencegah parallel chaos
meminta owner hipotesis
membuat keputusan eskalasi
menjaga evidence
menentukan resolved criteria

Subject matter expert bertugas:

menganalisis domain teknis
menjalankan diagnosis
mengusulkan mitigasi
mengeksekusi perubahan teknis sesuai otorisasi

Security responder bertugas:

menilai indikasi compromise
menjaga chain of custody evidence
menentukan containment boundary
mencegah destruction of evidence
mengatur credential/key/session revocation

Peran lain:

RoleTanggung Jawab
Incident CommanderKoordinasi, prioritas, state, keputusan.
Operations LeadEksekusi operasional, rollback, scaling, failover.
Security LeadThreat containment, evidence, access revocation.
Communications LeadInternal/external update, stakeholder brief.
ScribeTimeline, action log, decision log.
Customer/Business LiaisonDampak bisnis, prioritas pelanggan, regulatory concern.

Untuk organisasi kecil, satu orang bisa memegang beberapa peran. Namun perannya tetap harus eksplisit.


7. Trigger: CloudWatch Alarm, EventBridge, Security Hub, Manual

Incident bisa dipicu dari beberapa sumber.

Trigger pattern:

SourceCocok Untuk
CloudWatch AlarmAvailability, latency, error, saturation, SLO burn.
EventBridgeSecurity findings, compliance drift, account events, automation failures.
Security HubCorrelated security posture/threat findings.
GuardDutyThreat signal dan suspicious activity.
AWS ConfigCritical non-compliance, audit logging disabled, public exposure.
ManualCustomer report, support escalation, unknown failure, war-room declaration.

Jangan semua alarm otomatis menjadi incident.

Gunakan filter:

signal quality
business criticality
duration
blast radius
confidence
security implication
correlation with other signals

Contoh bagus:

CloudWatch composite alarm:
- checkout availability SLO burn > threshold
- AND request volume above minimum
- AND dependency health degraded
=> create Incident Manager incident

Contoh buruk:

CPU > 80% for 1 minute => SEV-1 incident

Alarm harus cukup tajam agar incident tidak menjadi noise.


8. Runbook: Manual, Automated, atau Hybrid

Runbook bukan dokumen panjang yang dibuka sekali setahun.

Runbook adalah program respons.

Ada tiga jenis:

JenisKarakter
Manual runbookLangkah manusia, cocok untuk judgment-heavy incident.
Automated runbookSystems Manager Automation/Step Functions menjalankan prosedur.
Hybrid runbookAutomation mengumpulkan evidence, manusia mengambil keputusan.

Pola terbaik biasanya hybrid.

Contoh untuk incident API latency:

1. Collect dashboard snapshot.
2. Query recent deployment events.
3. Query top 5xx endpoints.
4. Query dependency error rate.
5. Check autoscaling capacity.
6. Check recent config changes.
7. Suggest mitigation candidates.
8. Human approves rollback/failover/scale-out.

Untuk security incident:

1. Freeze evidence.
2. Capture CloudTrail events for principal/resource.
3. Capture GuardDuty/Security Hub related findings.
4. Disable suspected access key if confirmed high-risk.
5. Quarantine compute resource if active compromise.
6. Rotate secrets/keys if exposure likely.
7. Verify no audit service tampering.
8. Human confirms containment scope.

Jangan membuat automation yang langsung menghancurkan evidence.

Contoh berbahaya:

GuardDuty finding -> terminate EC2 immediately

Lebih aman:

GuardDuty high severity EC2 compromise
-> isolate security group
-> detach risky IAM role if allowed by runbook
-> snapshot volume if forensic policy permits
-> preserve CloudTrail/Flow Logs
-> notify incident commander

9. Evidence First, Fix Second? Tidak Selalu

Ada ketegangan antara forensic evidence dan mitigasi cepat.

Untuk availability incident, biasanya mitigasi cepat menang:

rollback
scale out
disable feature flag
failover
restore traffic

Untuk security incident, evidence preservation sering penting:

jangan terminate instance sebelum snapshot/memory capture jika forensik diperlukan
jangan delete IAM role sebelum CloudTrail/Access Analyzer context dicatat
jangan rotate semua secret tanpa memahami blast radius dependency

Namun jika active harm berlangsung, containment tetap prioritas.

Decision matrix:

KondisiPrioritas
User-facing outageMitigate first, collect enough evidence in parallel.
Suspected data exfiltration activeContain first, preserve evidence as much as possible.
Credential confirmed leakedRevoke/disable first, then reconstruct activity.
Malware on non-critical instanceIsolate, snapshot, investigate.
Audit logging disabledRe-enable/protect logging immediately, investigate tampering.

Invariant:

Jangan membiarkan kerusakan aktif berlanjut demi evidence sempurna.
Jangan menghancurkan evidence tanpa alasan mitigasi yang jelas.

10. Timeline dan Decision Log

Setiap incident harus punya timeline.

Minimal:

T+00 signal received
T+03 triaged as SEV-2
T+05 incident commander assigned
T+07 hypothesis: recent deployment caused error spike
T+10 rollback approved
T+13 rollback started
T+18 error rate dropping
T+25 SLO back within threshold
T+40 monitoring stable
T+55 resolved

Decision log lebih penting daripada action log.

Action log:

Ran rollback.
Restarted workers.
Changed config.

Decision log:

Rollback chosen over scale-out because saturation was not present and error started immediately after deployment v2026.07.06.3.

Post-incident review butuh decision log untuk memahami reasoning. Tanpa decision log, review berubah menjadi debat memori.


11. Integrasi dengan Security Finding Lifecycle

Dari Part 046, kita sudah punya lifecycle finding.

Incident response memakai finding sebagai input, tetapi incident bukan finding.

Contoh:

FindingMenjadi Incident?Alasan
S3 bucket public tetapi kosongMungkin tidakPerlu remediation, belum tentu incident.
S3 bucket public berisi PIIYaData exposure risk tinggi.
GuardDuty low severity port scanTidak selaluBisa menjadi detection record.
GuardDuty credential exfiltrationYaPotential account compromise.
Inspector critical CVE pada sandboxTidak selaluSLA remediation cukup.
Inspector critical CVE exploited in wild pada prod internet-facingMungkin yaExposure + exploitability + criticality.

Security Hub/EventBridge dapat routing finding ke response plan tertentu.

Pattern:

Security Hub ASFF finding
-> EventBridge rule by ProductName/Severity/ResourceTag
-> Lambda enrichment
-> decision: create incident or create ticket
-> Incident Manager response plan

12. Incident Classes untuk AWS Environment

Production AWS environment sebaiknya punya response plan untuk kelas insiden berikut.

12.1 Availability Incident

Trigger:

SLO burn rate high
5xx spike
latency p95/p99 breach
health check failure
dependency unavailable

Responder:

service owner
platform/SRE
database owner if dependency signal indicates DB
network owner if connectivity signal indicates network path

Runbook:

recent deploy check
dependency health check
capacity/saturation check
rollback/failover path
customer impact estimate

12.2 Security Credential Incident

Trigger:

GuardDuty credential exfiltration finding
CloudTrail impossible travel-like context
access key used from unusual ASN/country
root user usage
unexpected AssumeRole into prod

Responder:

security responder
IAM/platform owner
affected workload owner
incident commander

Runbook:

identify principal
capture CloudTrail window
disable/rotate credential
review privilege and resource touched
check persistence attempts
verify logging integrity

12.3 Data Exposure Incident

Trigger:

Macie high severity sensitive data finding on public/shared S3
S3 Block Public Access disabled on sensitive bucket
unexpected cross-account resource policy

Runbook:

freeze access state
capture bucket policy and ACL
identify object scope
block public access
review CloudTrail data events if enabled
notify privacy/legal if required

12.4 Audit Tampering Incident

Trigger:

CloudTrail stopped/deleted
Config recorder stopped
Log archive bucket policy changed
KMS key for logs scheduled deletion
Security Hub/GuardDuty disabled

Runbook:

restore audit control
identify actor
preserve event trail
review SCP/RCP gaps
rotate/admin review if privileged actor involved

12.5 Backup Recovery Incident

Trigger:

backup job failure on critical resource
restore testing failure
vault lock misconfiguration
unexpected delete recovery point attempt
cross-account copy failure

Runbook:

identify affected resource class
check last successful backup
check restore viability
trigger manual backup/copy if safe
escalate to data owner

13. On-Call Design

Incident Manager bisa menghubungi contact dan escalation plan, tetapi organisasi tetap harus mendesain on-call dengan sehat.

Anti-pattern:

semua engineer masuk semua incident
primary on-call tidak punya authority
runbook tidak ada
escalation hanya nama manager
on-call tidak pernah drill
postmortem selalu mencari siapa salah

Desain yang lebih baik:

service ownership jelas
primary/secondary rotation
escalation by capability, not hierarchy only
incident commander pool
security incident responder pool
platform escalation path
clear handoff across timezone

Checklist on-call:

AreaPertanyaan
AuthorityBoleh rollback? Boleh disable feature? Boleh isolate instance?
AccessApakah akses emergency tersedia dan auditable?
RunbookApakah langkah awal jelas dalam 5 menit pertama?
ObservabilityApakah dashboard/query tersedia?
EscalationSiapa dipanggil jika tidak bisa mitigate?
SafetyApa aksi yang dilarang tanpa approval?

On-call tanpa authority adalah pager theater.


14. First 15 Minutes Protocol

Incident yang kacau sering gagal di 15 menit pertama.

Protocol sederhana:

Minute 0-3:
- acknowledge signal
- create/confirm incident record
- assign incident commander

Minute 3-7:
- classify severity
- define impact hypothesis
- identify current customer/security risk
- start timeline

Minute 7-12:
- assign investigation owners
- collect first evidence pack
- decide mitigation vs containment path

Minute 12-15:
- publish first internal update
- engage required SME/security/platform owner
- define next checkpoint time

Template first update:

Status: Investigating SEV-2 checkout degradation.
Impact: ~18% checkout requests failing in ap-southeast-1 since 10:42 UTC.
Known: Error increase started after deployment v2026.07.06.3.
Unknown: Whether payment dependency is contributing.
Actions: Deployment owner checking rollback readiness; platform checking ALB/target health; DB owner checking saturation.
Next update: 15 minutes.

Update yang buruk:

We are looking into it.

Itu tidak memberi informasi decision-grade.


15. Communication Cadence

Komunikasi incident harus predictable.

SeverityInternal UpdateExternal/Stakeholder Update
SEV-110–15 menit15–30 menit tergantung policy
SEV-215–30 menit30–60 menit jika customer impact
SEV-330–60 menitbila relevan
Security SEC-1sesuai legal/security protocoljangan improvisasi tanpa approval

Format update:

Current status
Impact
What changed since last update
Actions in progress
Risks/unknowns
Next update time

Security update harus hati-hati. Jangan menyimpulkan data breach sebelum evidence cukup. Jangan juga menunda containment karena takut menulis update.


16. AWS-Native Incident Evidence Pack

Untuk AWS incident, buat evidence pack standar.

Availability Evidence Pack

CloudWatch dashboard snapshot
relevant alarms and state transitions
Application Signals service/dependency view
X-Ray trace samples
CloudWatch Logs Insights query outputs
recent deployment/change events
autoscaling events
ELB/API Gateway/Lambda/ECS metrics

Security Evidence Pack

Security Hub finding JSON/ASFF
GuardDuty finding details
CloudTrail events around actor/resource/time window
IAM principal policy snapshot
resource policy snapshot
Config item timeline
VPC Flow Logs sample if network relevant
Macie finding if data relevant
KMS key policy and usage events if encryption relevant

Management/Fleet Evidence Pack

SSM command history
Automation execution
Patch compliance state
Inventory facts
State Manager association status
Session Manager logs if access-related

Evidence pack harus bisa dibuat sebagian otomatis.


17. Runbook Pattern: Security Credential Compromise

Contoh high-level runbook:

Langkah detail:

1. Record finding ID, account, region, principal, resource.
2. Pull CloudTrail events for principal ±24 hours.
3. Identify access type: IAM user key, assumed role, federated session, workload role.
4. Determine source IP/ASN/user agent pattern.
5. Check actions performed: IAM, STS, S3, KMS, EC2, Secrets Manager, CloudTrail, Organizations.
6. Disable or rotate credential according to blast radius.
7. Revoke temporary access path if possible by changing trust/policy/session controls.
8. Search for persistence: new users, access keys, roles, policies, login profiles, backdoor resource policies.
9. Check data access: S3 data events, Macie scope, KMS decrypt events where available.
10. Verify security services are still enabled.
11. Produce incident summary and control fixes.

Do not stop at “credential disabled”. The real question is:

What did the principal do before it was disabled?

18. Runbook Pattern: Audit Logging Disabled

Audit service tampering is critical because it attacks evidence.

Trigger examples:

CloudTrail StopLogging
CloudTrail DeleteTrail
Config StopConfigurationRecorder
Security Hub DisableSecurityHub
GuardDuty DeleteDetector
S3 PutBucketPolicy on log archive bucket
KMS ScheduleKeyDeletion on log encryption key

Response:

1. Re-enable logging/security service immediately if authorized.
2. Capture CloudTrail event that performed tampering.
3. Identify principal and session context.
4. Determine whether action came from automation, admin, compromised credential, or break-glass.
5. Check policy path that allowed action.
6. Validate whether SCP guardrail was absent, scoped incorrectly, or bypassed via management account.
7. Review other security controls for concurrent tampering.
8. Create corrective action: SCP/RCP/IAM boundary/Config rule/EventBridge remediation.

This incident often means your preventive guardrails are incomplete.


19. Post-Incident Review

Post-incident review bukan ritual menyalahkan orang.

Format yang efektif:

1. What happened?
2. What was the impact?
3. How did we detect it?
4. How did we respond?
5. What made response slower or riskier?
6. What prevented worse impact?
7. What systemic controls failed or were missing?
8. What changes will reduce probability or impact?
9. Who owns each corrective action?
10. How will we verify completion?

Timeline harus factual. Hindari narasi yang terlalu rapi.

Buruk:

Engineer forgot to update policy.

Lebih baik:

The deployment pipeline allowed a policy change that removed S3 Block Public Access on a bucket tagged data_classification=confidential. No SCP/RCP prevented the action, Config detected it after 12 minutes, but no automated remediation was attached.

Ini mengarah ke perbaikan sistem:

preventive control
faster detection
automated remediation
owner training
pipeline validation
exception workflow

20. Corrective Action Taxonomy

Tidak semua corrective action sama.

TypeContoh
PreventiveSCP deny disabling CloudTrail.
DetectiveConfig rule detects public bucket.
ResponsiveEventBridge triggers remediation.
RecoveryRestore test plan for critical DB.
ObservabilityAdd SLO burn alarm.
ProcessDefine incident commander rotation.
TrainingRun game day for credential compromise.
ArchitectureSeparate account boundary for sensitive data.

Corrective action yang buruk:

Be more careful next time.

Corrective action yang baik:

Add SCP denying cloudtrail:StopLogging except SecurityAutomationRole in security tooling account; test in PolicyStaging OU; deploy to Workloads OU; add EventBridge alert for denied attempts.

21. Game Days dan Incident Drills

Incident Manager configuration yang belum pernah diuji adalah asumsi.

Game day examples:

DrillTujuan
Credential leak simulationMenguji detection, disable, CloudTrail investigation, communication.
Logging tamper drillMenguji guardrail dan remediation audit controls.
Regional dependency failureMenguji failover dan stakeholder communication.
Restore drillMenguji RTO/RPO, backup access, KMS, restore runbook.
WAF false positiveMenguji exception workflow dan safe rollback.
SSM access failureMenguji break-glass path.

Game day harus punya:

scope
blast-radius guardrail
success criteria
observer
timeline capture
post-drill corrective action

22. Metrics Incident Response

Yang diukur bukan hanya jumlah incident.

MetricMakna
MTTDMean time to detect.
MTTAMean time to acknowledge.
MTTMMean time to mitigate.
MTTRMean time to recover/resolve.
Time to commanderSeberapa cepat koordinasi terbentuk.
Time to first useful updateKualitas komunikasi awal.
Reopen rateApakah resolved terlalu cepat.
Repeat incident rateApakah corrective action efektif.
Automation success rateApakah runbook otomatis reliable.
Evidence completenessApakah post-incident punya data cukup.

Hati-hati: jika MTTR dijadikan target buta, tim bisa menutup incident sebelum benar-benar stabil.

Metric harus dipakai untuk memperbaiki sistem, bukan menghukum responder.


23. Failure Modes

Failure ModeDampakMitigasi
Alarm terlalu noisyIncident fatigueComposite alarm, SLO-based trigger, dedupe.
Response plan terlalu generikResponder salah, runbook kaburResponse plan per incident class.
Escalation tidak diujiTidak ada yang meresponsRegular contact/channel test.
On-call tidak punya aksesResponse lambatJIT/break-glass access model.
Automation terlalu agresifProduksi rusak/evidence hilangSafety ladder, approval gates.
Severity tidak jelasDebat panjangImpact-based severity matrix.
Timeline tidak dicatatReview lemahScribe/automation evidence capture.
Postmortem tanpa ownerMasalah berulangCorrective action owner + due date + verification.
Security incident ditangani seperti outage biasaEvidence rusakSecurity-specific runbook.
Tool hanya ada di satu region/accountControl plane failureMulti-region preparedness where required.

24. Production Checklist

Sebelum menyatakan incident response AWS production-ready:

[ ] Response plan tersedia untuk availability, security, data exposure, audit tampering, backup failure.
[ ] Contact dan escalation plan diuji.
[ ] Incident commander role jelas.
[ ] Runbook punya langkah 15 menit pertama.
[ ] CloudWatch/EventBridge/Security Hub trigger tidak terlalu noisy.
[ ] Evidence pack bisa dikumpulkan cepat.
[ ] Security incident runbook tidak menghancurkan evidence secara tidak sengaja.
[ ] Break-glass access tersedia dan diaudit.
[ ] Communication cadence didefinisikan per severity.
[ ] Post-incident review menghasilkan corrective action terverifikasi.
[ ] Game day dijadwalkan berkala.
[ ] Metrics respons digunakan untuk memperbaiki sistem.

25. Kesimpulan

Incident management adalah lapisan yang menguji semua desain sebelumnya.

IAM yang bagus akan terlihat saat credential compromise.

CloudTrail yang bagus akan terlihat saat harus membuktikan siapa melakukan apa.

CloudWatch yang bagus akan terlihat saat harus membedakan symptom dan cause.

Systems Manager yang bagus akan terlihat saat harus mengakses fleet tanpa membuka SSH liar.

Security Hub/GuardDuty/Config yang bagus akan terlihat saat finding harus berubah menjadi tindakan.

Prinsip utama:

Incident response bukan heroism.
Incident response adalah sistem.

Sistem itu terdiri dari trigger yang tajam, response plan yang spesifik, responder yang jelas, runbook yang aman, evidence yang lengkap, komunikasi yang disiplin, dan corrective action yang mengubah arsitektur agar kegagalan yang sama tidak kembali.

Di Part 068 kita akan masuk ke Backup Governance and Restore Readiness: karena incident response terbaik tetap gagal jika data tidak bisa dipulihkan.

Lesson Recap

You just completed lesson 67 in final stretch. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.