In the lecture "EC2 has been hacked! What should you do?", the FIRST thing to do is have a robust monitoring/alerting/automation plan in place. Tuning the monitoring and alerting does take time, but well worth the effort to mitigate attacks, and reduce the blast radius when they do occur.
I would also suggest deploying some kind of centralized logging for OS’s and applications that have an alert function. Adding a response/action function (e.g., launch LAMBDA scripts when specific alerts are sent) can automatically lock down an EC2 instance so it’s available for forensic analysis when you are ready. There are of course many others when it comes to handing a compromised server.
The bottom line to my message is to look at how to automate responses to attacks. This way you can respond much faster than a human to reduce the exposure and blast radius of an attack.
Great tips, thanks for sharing this,