aws incident response

The Top 3 Open Source Tools for AWS Incident Response

Welcome to our third blog on incident response in the cloud. The first two posts primarily focused on the built-in capabilities from cloud service providers that can help your incident response efforts. We also discussed how to configure your Amazon Web Services (AWS) environment to take advantage of those features.

Today, we are going to look at some tools that are extremely helpful for responding to cloud incidents. I’m only going to look at open source tools for AWS in this post, so you can go download and play with them in your training or test environment now.

ThreatResponse Suite

The first thing we’ll take a look at is ThreatResponse Suite. In my opinion, it’s the most effective open source tool for AWS response. ThreatResponse Suite is a collection of three tools designed to help with incident response in your AWS environment.

The first tool is simply AWS_IR. This is a Python-installable command line interface that automates initial response actions. It has two built-in commands, key-compromise and instance-compromise, with some plugin options. As the name implies, key-compromise disables and revokes compromised access keys for you. Instance-compromise isolates the occurrences and preserves forensic artifacts for your investigation.

The second tool is Margarita Shotgun. This is another Python command line tool, but this one allows you to pull memory from one or more systems in your AWS environment. The last tool in the suite is an incident management tool called Incident Pony™. Unlike the other two, Incident Pony™ isn’t a free product, but it does use ThreatResponse Suite for a lot of its functionality.

SANS Investigative Forensic Toolkit  

Most IR teams have had some exposure or training with SANS Investigative Forensic Toolkit (SIFT) workstation. For those that haven’t, you can find an introductory video on SIFT here. This open source all-in-one forensic toolkit can easily be built right in your cloud environment.

All you have to do is set up a Linux image in your cloud environment and install SIFT with wget or use SIFTonEC2. This gives your incident responders the ability to investigate compromised snapshots in your cloud environment using that pre-built Virtual Private Cloud (VPC) we talked about in the last blog.


Netflix to the rescue! Netflix’s Security Intelligence and Response Team (SIRT) developed Diffy and released it for public use. Diffy is another Python-installable tool for incident response in your AWS environment. Diffy helps your incident response team identify differences or changes to systems in their cloud environment. This is especially helpful in a large-scale environment where you are replicating systems in multiple regions.

If your system gets compromised in one region, Diffy can be used to determine if any other versions were also compromised. It does this by looking for differences from a baseline scan or from a clustered scan.


If you’re looking for low-cost or no-cost solutions, your best bet is to check out the ThreatResponse suite of tools, the SANS Investigative Forensic Toolkit, and Diffy. These are all effective tools to improve your AWS incident response efforts. There are, of course, other open source and even more pay-per-use tools out there to investigate. We’ll discuss these in some of our upcoming blogs.

When’s the last time you’ve had an AWS configuration checkup? We’re offering a free assessment to check for common misconfigurations and ensure you’re following configuration best practices. Here’s how you can get started.