AWS Incident Response and Forensics
In Amazon Web Services, forensics is a little different. Below I’ve outlined some of the core techniques.
We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.
Acquiring an EC2 Instance
Drives / Volumes
To acquire the drive of a compromised instance, you have to:
- Make snapshots of the volumes attached to the compromised instance
- Attach the snapshots to another instance for analysis, and mount them
You can then analyse the disks as you normally would, using tools such as Encase or Log2Timeline.
Memory
Acquiring memory requires you to either run a traditional memory dumping tool within the instance it self, or to remotely run a tool such Margarita Shotgun:
margaritashotgun — server 172.1.0.10 — username root — key root_access.pem — module lime-3.13.0–74-generic.ko — filename 172.1.0.10-mem.lime
Responding
How to disable an access key
Perhaps Amazon have told you that you’ve accidentally published a key on Github — or you’ve identified a host containing the key has been compromised. You can disable the key on the AWS CLI with:
aws iam update-access-key --access-key-id EXAMPLE
--status Inactive --user-name user
How to isolate a compromised EC2 host
You may want to isolate a compromised host to isolate the infection.
There are scripts to do so here.
Further Reading
This talk provides some great additional advice on performing incident response and forensic investigations in AWS:
We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.