This control plane turns raw GuardDuty exports into one buyer-readable threat-operations surface: detector coverage, credential abuse, runtime compromise, exfiltration signals, stale findings, and the response packets needed before incidents, audits, or release windows drift.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Detector coverage lane One detector is disabled and primary S3 data-event coverage is still incomplete. |
Cloud Security Engineering | Regional detector health, publishing destinations, and signal coverage. | red | 2 | Re-enable eu-west-1 detector and turn on S3 data-event visibility for the production detector. |
| Credential abuse lane Credential exfiltration and anomalous behavior need the fastest containment path. |
Identity Operations | Stolen role credentials, anomalous API use, and trust validation. | red | 2 | Rotate compromised role credentials and validate IAM user activity against expected runbooks. |
| Runtime compromise lane Compromised runtime signals are present, but an owner and response path already exist. |
Platform SRE | Crypto-mining, malware, and workload isolation posture. | yellow | 5 | Isolate the media worker and verify AMI, startup scripts, and egress controls. |
| Data exfiltration lane Finance export reads and missing S3 detector coverage increase exfiltration risk. |
Data Security | S3 read anomalies, export movement, and perimeter containment. | red | 1 | Validate S3 object read context and restore data-event signal completeness. |