What a Real Cloud Incident Response Runbook Looks Like
The runbook template we hand to clients after a tabletop exercise — including the exact Slack, PagerDuty, and CSP console steps.
RAZR IR
A runbook that lives in a wiki nobody opens during an incident is not a runbook. The ones that actually get used are short, opinionated, and copy-pasteable.
The five sections every runbook needs
- Trigger: the exact alert or observation that starts this runbook.
- Declare: how to open the incident channel and page the right people.
- Contain: the specific console clicks or CLI commands to stop the bleeding.
- Investigate: the queries and evidence to gather before anything is changed.
- Recover & review: how to restore service and schedule the post-incident review.
A concrete example: compromised access key
Contain
- Disable the access key in the IAM console (do not delete yet — you need it for forensics).
- Detach any user policies granting broad permissions.
- Rotate any secrets the key had access to.
Investigate
- Pull CloudTrail events for the key in the last 30 days.
- Identify any API calls from unexpected source IPs or regions.
- Diff current IAM state against the last known-good snapshot.
The runbook you'll actually use in an incident is the one you rehearsed last month. — RAZR tabletop debrief