AWS incident response best practices emphasize rapid containment, credential revocation, and threat detection to minimize the blast radius of a compromise. According to the AWS Certified Security – Specialty Official Study Guide, when unauthorized resources such as an Amazon S3 bucket hosting malware are discovered, immediate action must be taken to stop further misuse of the account and to prevent recurrence.
Rotating or deleting all AWS access keys (Option D) is a critical containment step. If an IAM user has been compromised, any long-term credentials associated with that user must be revoked immediately to prevent continued unauthorized access. AWS guidance explicitly lists access key rotation or deletion as a first-response action for suspected credential compromise.
Deleting unrecognized or unauthorized resources (Option F) directly removes the malicious infrastructure that is being abused. In this case, deleting the unauthorized S3 bucket immediately stops malware distribution and reduces reputational and compliance impact.
Turning on Amazon GuardDuty (Option B) enables continuous threat detection by analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty can identify additional malicious activity, compromised credentials, or persistence mechanisms that the attacker may have established. AWS documentation recommends enabling GuardDuty during or immediately after an incident to detect ongoing or future threats.
Option A does not reduce the impact of the current compromise. Option C is overly disruptive and not recommended; credential rotation should be targeted. Option E is unnecessary because there is no indication that EBS-backed compute resources are involved.
AWS incident response guidance clearly prioritizes credential revocation, malicious resource removal, and threat detection to minimize consequences.
AWS Certified Security – Specialty Official Study Guide
AWS Incident Response Best Practices
Amazon GuardDuty User Guide
AWS IAM Security Best Practices
