When performing Incident Response in a platform where infrastructure and data is just as quickly destroyed as it is created, speed and efficacy are paramount. While AWS provides a wide gamut of tools and capabilities to effectively harness the cloud, it’s often a daunting task to understand which tools to use for what, when, and how – especially when responding to (possible) compromise. In the face of an incident, how do you contain and isolate compromised systems? Which logs do you search and how? Which services should you be using for effective response? These often-unanswered questions lead to a number of pitfalls commonly encountered when performing Incident Response within AWS, in turn causing substantial delay in investigations and, at times, loss of critical evidence. In this presentation, we will not only identify the most common (and damaging) pitfalls and how to avoid them, but also how to leverage a variety of AWS services (such as CloudTrail, CloudFormation, IAM, EC2, S3, Athena/Glue, and more) to drastically reduce the time spent performing investigations. Less time spent getting to the root cause, means less time to containment, eviction of the bad guys, and return to operations.