This repository provides sample incident response playbooks for AWS environments, designed as customizable templates for administrators to enhance their incident response capabilities. It targets AWS users and security professionals looking to formalize and improve their handling of security incidents.

How It Works

The playbooks are structured around the NIST Computer Security Incident Handling Guide (SP 800-61 Revision 3), covering evidence gathering, containment, eradication, recovery, and post-incident activities. They are offered in two formats: human-readable markdown files for direct guidance and ai-playbooks designed for integration with Large Language Models (LLMs) as "steering files" or "skills" within compatible IDEs.

Quick Start & Requirements

These playbooks are templates requiring customization for specific AWS environments, risks, and workflows. Testing, such as through "Game Days," is strongly recommended before deployment. Usage may incur AWS service costs and LLM token consumption, depending on the specific playbooks and LLM integration used.

Highlighted Details

• Adheres to the NIST SP 800-61 Revision 3 incident handling framework.
• Provides distinct formats for human responders (markdown) and AI-driven automation (ai-playbooks).
• Emphasizes the critical need for customization and rigorous testing in target environments.

Maintenance & Community

Information regarding contributions and security practices can be found in the CONTRIBUTING file. No other community or maintenance details are specified in the README.

Licensing & Compatibility

Documentation is available under the Creative Commons Attribution-ShareAlike 4.0 International License. Sample code is provided under the permissive MIT-0 license. These licenses permit modification and use, with CC-BY-SA requiring derivative works to be shared under the same terms.

Limitations & Caveats

The playbooks are provided "as-is" and are not official AWS documentation. They necessitate significant customization and testing by the user. Potential AWS service costs and LLM token usage should be carefully evaluated.