AWS DevOps Pro Certification Blog Post Series: Incident and Event Response

This is part of the blog post series: AWS DevOps Pro Certification

What does the exam guide say?

To pass this domain, you'll need to know the following:

This domain is 18% of the overall mark for the exam.

What whitepapers are relevant?

According to the AWS Whitepapers for Security and Compliance we should look at the following documents:

Other whitepapers as recommended by product pages:

What services and products covered in this domain?

What about other types of documentation?

If you have the time, by all means, read the User Guides, but they are usually a couple of hundred pages.

Alternatively, get familiar with the services using the FAQs:

You're all expected to know the APIs

Before you panic, you'll start to spot a pattern with the API verbs.

And the CLI commands

As with the API, there are patterns to the commands.

Please put down your weapon. You have 20 seconds to comply.

Quote: ED-209, Robocop (1987)

This is another domain, that probably requires awareness of the products rather than actual use (especially in the case of the Kinesis suite). As we'll see Amazon GuardDuty and Amazon Inspector do have an immediate use for small to medium-sized business if you don't have an Information Security function in your company.

As the title of this section suggests, this is domain focussed on how to responding to incidents and events. Incidents are usually around a security context. whereas events are often related to a data stream.

I'll be covering all the products in this domain within this post since it's a relatively small domain with very little opportunities to provide practical hands-on experience using the AWS CLI.


Amazon GuardDuty is a threat detection service that analyses meta-data generated by your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Log, and DNS Logs. It can detect:

Amazon Inspector is another automated security assessment service just like GuardDuty, but instead of identifying issues with your account or network activity it primarily focusses on your EC2 instances. It has built-in rules (created and maintained by AWS security researchers) to check for access to your instances from the internet, remote root login being enabled, or vulnerable software versions installed.

Amazon Kinesis is a suite of products:


Amazon GuardDuty provides a comprehensive threat detection service, whilst it does offer reporting through a dashboard, the response workflow does require more work i.e. you're expected to write the tooling (AWS Lambda) around the events (CloudWatch). This is probably why Amazon is touting partners who can help implement these workflows.

Amazon Inspector as with GuardDuty, you get an all-around security assessment tool for your EC2 instances.

The Amazon Kinesis suite provides managed services that can handle large amounts of data. Whilst you run your own Apache Kafka environment, you would need a large team to support it setup and on-going maintenance. Trivia: Amazon also provides a managed service for Apache Kafka called Amazon Managed Streaming for Apache Kafka. The key take away for why Kinesis exists is that it has specialist tooling for Video and High Volume Data streams. Because of tight integration into AWS data services Kinesis Data FireHose can load large volumes of data into their services with a minimal amount of configuration. Kinesis Data Analytics can be used to perform analytics against these data streams or when you've outgrown the likes of CloudWatch for log analysis. Finally, all of these products in this suite can be used together or separately, although Kinesis Data Analytics does require the source to come from Kinesis Data FireHouse or Kinesis Data Streams


Amazon GuardDuty should be used when you don't want the overhead of managing your own threat detection and response system. To do this yourself you would need to use tools like Snort or Tripwire and maintain subscriptions to 3rd party threat intelligence sources like Proofpoint and CrowdStrike.

Amazon Inspector is a complementary tool to Amazon GuardDuty, so the chances are if you're using it (Amazon GuardDuty), you should be using Amazon Inspector.

Some of the use cases for Amazon Kinesis are:


Amazon GuardDuty provides a 30-day free trial, after that you charged by the volume of events (CloudTrail) and volume of data (Amazon VPC Flow Log and DNS log). The key things (also that form the navigation menu) you need to be aware of in the service page in the AWS Console are:

Amazon Inspector provides a 90 day free trial for the first 250 instance assessments. The key things to be aware of are:

Amazon Kinesis does require development to utilise the services. The examples provided require quite a bit of setup. It would be nice if you could pre-load the services with sample data much as you can with Amazon GuardDuty or Amazon Inspector.

AWS DevOps Pro Certification Blog Post Series