Detection criteria (GuardDuty alerts, CloudTrail anomalies) - Initial response (identify affected resources, preserve CloudTrail logs) - Containment (revoke credentials, isolate resources) - Investigation (CloudTrail analysis, resource inventory) - Recovery (rotate all credentials, rebuild from IaC)