AWS pitches Kiro CLI for GuardDuty investigations

AWS is putting Kiro CLI in a familiar place: the terminal window where incident responders already live when GuardDuty lights up. The blog walks through an AWS Security Incident Response Guide-style investigation, from discovery and EC2 resource analysis through containment, evidence preservation, CloudTrail scope review, proactive alerting, and reusable steering files. Kiro CLI proposes AWS CLI commands, explains what they do, waits for analyst approval, and documents findings.

That is a real workflow improvement if the alternative is a tired analyst reconstructing GuardDuty, IAM, EC2, CloudTrail, EBS, SNS and EventBridge syntax during an active incident. The best version of this tool is not “AI investigates for you.” It is a command-and-context layer that reduces recall burden while preserving human authorization at the point where cloud resources can be isolated, permissions revoked, or forensic snapshots created.

The vendor claim should still be read like a vendor claim. “Minutes rather than hours” depends on the environment, the quality of existing logging, IAM scoping, prior preparation, and whether responders trust the generated commands enough to execute them. AWS also has its own recent reminder that terminal-based AI assistants are part of the attack surface: CVE-2026-9255 affected kiro-cli before version 1.28.0 and could allow tool execution without user approval through crafted piped stdin, according to AWS’s bulletin at https://aws.amazon.com/security/security-bulletins/2026-035-aws/.

Practitioners testing this should start in a sandbox, pin the Kiro CLI version, review the AWS profile it uses, and decide which incident-response actions require a second human approval. The productivity gain is plausible. So is the failure mode: an assistant that makes the fastest path also becomes the path everyone stops questioning.