In the cloud, the degree of automation for incident response that can be achieved is far greater than what is possible on-prem. This is because you typically have all the information required for decision making in an incident response process, complete log of calls on AWS CloudTrail, configuration inventory, and its changes in AWS Config, and AWS EventBridge (or AWS CloudWatch Events) that enables services to be integrated, enabling response flows to specific events.
In the following video you will see an example of an advanced incident response process that can be automated to run in minutes.
Risk Mitigation
During an active security incident, the time that takes the Incident Responders to gather forensics evidence and contain the threat is critical to reduce the impact of the incident. Automations can help speed up the incident
Guidance for assessments
Do you have an automated way to gather forensics information on a compromised compute resource (such as an EC2 Instance)?
Do you have an automated way to isolate a compromised compute resource?
Have you properly tested your automation ?
If involves human approvals: Is the approval going to multiple persons? is there an SLA with escalations to take the decision?
If it does NOT involve human approvals: Is the business process associated with the asset considered to avoid causing more harm than good while automatically isolating an asset?