3.3. Phase 3 Reflection Checkpoint

Key Takeaways:

1. IR effectiveness is determined by preparation: runbooks, pre-provisioned access, and automated response workflows
2. The Automated Forensics Orchestrator and Step Functions enable complex, multi-step automated response
3. FIS tests resilience through fault injection; Resilience Hub assesses architecture against recovery targets
4. Evidence capture order matters: isolate → snapshot → memory dump → investigate → terminate
5. Detective is for root cause investigation (not detection); GuardDuty is for threat detection (not investigation)

Connecting Forward: In Phase 4, you'll learn how to secure the infrastructure that detection monitors and incident response protects — network edge security, compute workloads, and network controls.

Self-Check Questions:

• Can you describe the correct sequence for responding to a compromised EC2 instance?
• Can you explain the difference between FIS (fault injection testing) and Resilience Hub (resilience assessment)?
• Can you trace the automated remediation chain from GuardDuty → EventBridge → Step Functions?