Based on a real-world scenario, I intervened in a multi-stage cloud data breach incident. In the AWS environment, I analyzed S3 data event logs (s3_data_events) and CloudTrail logs using SQL queries. As a result of this analysis, I identified that the attacker had compromised the S3Reader role with STS AssumeRole, the IAM user Moe.Jito who performed this action, and the Lambda function named credrotator whose code was manipulated for exfiltration. Deepening the investigation, I found the source IP address from the SSH logs on the EC2 server, which was the attacker’s initial access point. In the final stage, I connected to an external HTTP server with curl to delete the confidential data before it was disclosed and prepared a comprehensive incident response report including all findings.