
You’ve been asked to lead an initiative to improve how your cloud environment detects and responds to compromised AWS credentials. The current posture relies on ad hoc alerts from Amazon GuardDuty, manual review of AWS CloudTrail events, and inconsistent containment steps across teams. You need an approach that can identify high-confidence misuse quickly, trigger the right response for different credential types, and avoid breaking production workloads through overly aggressive automation.
How would you design a system to detect and respond to compromised AWS credentials?