Incident Response

What a Real Cloud Incident Response Runbook Looks Like

The runbook template we hand to clients after a tabletop exercise — including the exact Slack, PagerDuty, and CSP console steps.

RAZR IR

10 min read

A runbook that lives in a wiki nobody opens during an incident is not a runbook. The ones that actually get used are short, opinionated, and copy-pasteable.

The five sections every runbook needs

  1. Trigger: the exact alert or observation that starts this runbook.
  2. Declare: how to open the incident channel and page the right people.
  3. Contain: the specific console clicks or CLI commands to stop the bleeding.
  4. Investigate: the queries and evidence to gather before anything is changed.
  5. Recover & review: how to restore service and schedule the post-incident review.

A concrete example: compromised access key

Contain

  • Disable the access key in the IAM console (do not delete yet — you need it for forensics).
  • Detach any user policies granting broad permissions.
  • Rotate any secrets the key had access to.

Investigate

  • Pull CloudTrail events for the key in the last 30 days.
  • Identify any API calls from unexpected source IPs or regions.
  • Diff current IAM state against the last known-good snapshot.

The runbook you'll actually use in an incident is the one you rehearsed last month. — RAZR tabletop debrief

Share this post

Get new posts in your inbox

Field notes on cloud security, compliance, and incident response. One email when we publish. No spam.

Ready to see how your stack scores?

Take the 15-minute diagnostic and get a prioritized 30/60/90-day action plan.

Related posts

More reading based on this post's category and tags.