Terraform AWS Incident Response Sandbox

• amazon-guardduty-tester
• amazon-guardduty-handson

IAM user

• remove all policies associated with the user (log what they were)
• move user to the /compromised path

EC2 instance

• isolate it

• CI
  • add linting
  • auto-generate docs
• add cloudwatch alarms and sns topics for 'spending guard'
• add misconfigured s3 bucket generation to a non-malicious instance