Code Room
On-callHard
Question
GuardDuty/CloudTrail anomaly fires: a low-privilege CI IAM role ('ci-deployer') performed iam:PutRolePolicy on itself adding administrator-equivalent permissions, then iam:CreateAccessKey for a different, dormant admin role, then started AssumeRole calls into prod accounts via your org. The CI role's only legit job is deploying to staging. The escalation calls came from an EC2 instance in your CI account, but at a time no CI job was scheduled. How do you triage, contain, and remediate this privilege escalation?
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.