ECS Forensics and Incident Response
2 min readAug 21, 2023
Continuing our series on Cloud Forensics and Incident Response — our latest video covers AWS ECS:
What is ECS?
How does GuardDuty work with ECS?
Container Investigation Data Sources in AWS
EKS Audit / Control Plane Logs
- Shows: API Level Calls
- Usefulness: Medium
- Collected by: S3
CloudTrail Logs
- Shows: API Level Calls
- Usefulness: Low
- Collected by: S3
Docker Container Filesystems
- Normally overlay2 versioned filesystem
- Contains all the files from all the containers
- Usefulness: High
- Collected by: EC2 EBS (API) or Cado Host (SSM/SSH)
Docker Logs
- Logs what containers were started, stopped
- Usefulness: Medium
- Collected by: EC2 Import or Cado Host
Container Filesystems
- Live filesystem as seen by the container, Memory
- Contains all the files from all the containers
- Usefulness: Very High
- Collected by: Cado Host (ECS Exec/kubectl exec)
How do you Acquire an Amazon ECS System in Cado?
How do you Investigate an ECS Container in Cado?
Requires enableExecuteCommand
https://docs.cadosecurity.com/cado-response/discovery-import/import/aws/aws-ecs
How do you Remediate a compromised ECS Cluster?
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ecs
