conducting-cloud-incident-response
Installation
SKILL.md
Conducting Cloud Incident Response
When to Use
- Cloud security posture management (CSPM) alerts on unauthorized resource changes
- CloudTrail, Azure Activity Logs, or GCP Audit Logs show suspicious API calls
- Cloud access keys or service principal credentials are suspected compromised
- Unauthorized compute instances, storage buckets, or IAM changes are detected
- A cloud-hosted application is breached and attacker activity spans cloud services
Do not use for on-premises-only incidents with no cloud component; use standard enterprise IR procedures.