Preparing an IR Account and Toolkit

Mature AWS organizations create a separate security or incident-response account. It is isolated from production so an attacker who compromises a workload cannot reach your investigation tools or evidence.

This account holds forensic resources, centralized logs, and the roles responders assume when an event begins.

If logs and tooling lived in the same account as the breach, the attacker could delete them to cover their tracks.

An isolated IR account, often paired with a separate log archive account, keeps evidence and capabilities beyond the attacker's reach even during a full compromise of production.