Security incidents

Stop the exfiltration first. Do forensics later.

The idea

In a security incident (like a leaked API key or a DDoS), the first priority is Containment. You do not spend an hour grepping logs to see exactly what they stole while the attack is still ongoing. You instantly Revoke the leaked credential, or block the malicious IP range.

Only after the bleeding has stopped do you move to Investigation & Forensics to determine the blast radius, followed by Remediation (forcing password resets, rotating infrastructure secrets).

API Server Key: ACTIVE
Data Exfiltrated: 0 MB
The system is secure. Wait for an incident.

How it works (Incident Phases)

# Phase 1: Containment (STOP THE BLEEDING)
# Do this in seconds/minutes.
aws iam delete-access-key --access-key-id AKIAIOSFODNN7EXAMPLE
# The attacker instantly receives HTTP 403 Forbidden.

# Phase 2: Forensics (BLAST RADIUS)
# Do this over hours. Query CloudTrail to see exactly what they did.
SELECT eventTime, eventName, resources 
FROM cloudtrail_logs 
WHERE userIdentity.accessKeyId = 'AKIAIOSFODNN7EXAMPLE'

# Phase 3: Remediation (FIX THE ROOT CAUSE)
# Use a secrets manager, enforce 2FA, rotate all other keys.