How long do I have to report a cyber incident to CERT-In?

Six hours from the moment your organisation notices the incident. The clock starts when a responsible person inside your organisation becomes aware of a reportable incident — not when the SOC alert fires, and not when forensics completes.

Does the CERT-In 6-hour rule apply to AWS workloads?

Yes. The CERT-In Cyber Security Directions apply to any service provider, intermediary, body corporate, or government organisation operating systems used by people in India. Running on AWS in ap-south-1, ap-south-2, or any other region does not change the obligation — the workload's location is irrelevant to the reporting duty.

Where do I send the CERT-In incident report?

Email incident@cert-in.org.in or use the online portal at incident.cert-in.org.in. The CERT-In helpdesk on +91-1800-11-4949 is available for urgent assistance. Use the format specified in Annexure II of the 28 April 2022 directions.

Does Amazon Time Sync Service satisfy CERT-In's NTP requirement?

Probably not unambiguously. CERT-In requires synchronisation to NPL (time.nplindia.org) or NIC (samay1.nic.in / samay2.nic.in) NTP servers, or servers traceable to them. Amazon Time Sync Service is traceable to UTC via GPS and atomic clocks but is not explicitly traceable to NPL or NIC. To remove ambiguity, configure chrony or ntpd on EC2 to point at the NPL or NIC servers directly.

Can I store my AWS logs outside India?

Not for the purposes of CERT-In compliance. The directions require ICT system logs to be maintained within India for a rolling 180 days. For AWS this means CloudTrail, CloudWatch Logs, VPC flow logs, and application logs must be stored in ap-south-1 (Mumbai) or ap-south-2 (Hyderabad). Replicating to a non-Indian region for resilience is fine, but the Indian copy is mandatory.

What if I miss the 6-hour deadline?

Non-compliance with the directions is an offence under section 70B(7) of the IT Act 2000, punishable by imprisonment up to one year, a fine up to one lakh rupees, or both. CERT-In has historically prioritised guidance over enforcement, but the legal exposure is real. If you miss the deadline, file as soon as possible and document the reasons for the delay.

Meeting CERT-In's 6-Hour Incident Reporting Rule on AWS

Inside the guide

India's CERT-In requires you to file an initial incident report within six hours of noticing any of 20 reportable cyber incident categories. The rule applies to anyone running services used in India — including AWS workloads in ap-south-1 (Mumbai) and ap-south-2 (Hyderabad), and including foreign-headquartered companies serving Indian customers. To meet the deadline you need three things in place before an incident occurs: a defined trigger for "noticing," a pre-staged report template aligned to CERT-In's Annexure II format, and a logging stack that already complies with the 180-day-in-India retention rule. This guide walks through how to build all three on AWS.

The full regulatory rule, plain-language
An hour-by-hour (or day-by-day) runbook
The pre-incident AWS hardening that meets the standard
Common mistakes seen in practice
What to do this week to get ahead

Frequently asked questions

How long do I have to report a cyber incident to CERT-In?: Six hours from the moment your organisation notices the incident. The clock starts when a responsible person inside your organisation becomes aware of a reportable incident — not when the SOC alert fires, and not when forensics completes.
Does the CERT-In 6-hour rule apply to AWS workloads?: Yes. The CERT-In Cyber Security Directions apply to any service provider, intermediary, body corporate, or government organisation operating systems used by people in India. Running on AWS in ap-south-1, ap-south-2, or any other region does not change the obligation — the workload's location is irrelevant to the reporting duty.
Where do I send the CERT-In incident report?: Email incident@cert-in.org.in or use the online portal at incident.cert-in.org.in. The CERT-In helpdesk on +91-1800-11-4949 is available for urgent assistance. Use the format specified in Annexure II of the 28 April 2022 directions.
Does Amazon Time Sync Service satisfy CERT-In's NTP requirement?: Probably not unambiguously. CERT-In requires synchronisation to NPL (time.nplindia.org) or NIC (samay1.nic.in / samay2.nic.in) NTP servers, or servers traceable to them. Amazon Time Sync Service is traceable to UTC via GPS and atomic clocks but is not explicitly traceable to NPL or NIC. To remove ambiguity, configure chrony or ntpd on EC2 to point at the NPL or NIC servers directly.
Can I store my AWS logs outside India?: Not for the purposes of CERT-In compliance. The directions require ICT system logs to be maintained within India for a rolling 180 days. For AWS this means CloudTrail, CloudWatch Logs, VPC flow logs, and application logs must be stored in ap-south-1 (Mumbai) or ap-south-2 (Hyderabad). Replicating to a non-Indian region for resilience is fine, but the Indian copy is mandatory.
What if I miss the 6-hour deadline?: Non-compliance with the directions is an offence under section 70B(7) of the IT Act 2000, punishable by imprisonment up to one year, a fine up to one lakh rupees, or both. CERT-In has historically prioritised guidance over enforcement, but the legal exposure is real. If you miss the deadline, file as soon as possible and document the reasons for the delay.