AWS Incident Response and Forensics

In Amazon Web Services, forensics is a little different. Below I’ve outlined some of the core techniques.

We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Acquiring an EC2 Instance

Drives / Volumes

To acquire the drive of a compromised instance, you have to:

1. Make snapshots of the volumes attached to the compromised instance
2. Attach the snapshots to another instance for analysis, and mount them

You can then analyse the disks as you normally would, using tools such as Encase or Log2Timeline.

Memory

Acquiring memory requires you to either run a traditional memory dumping tool within the instance it self, or to remotely run a tool such Margarita Shotgun:

margaritashotgun — server 172.1.0.10 — username root — key root_access.pem — module lime-3.13.0–74-generic.ko — filename 172.1.0.10-mem.lime

Responding

How to disable an access key

Perhaps Amazon have told you that you’ve accidentally published a key on Github — or you’ve identified a host containing the key has been compromised. You can disable the key on the AWS CLI with:

aws iam update-access-key --access-key-id EXAMPLE 
--status Inactive --user-name user

How to isolate a compromised EC2 host

You may want to isolate a compromised host to isolate the infection.

There are scripts to do so here.

Further Reading

This talk provides some great additional advice on performing incident response and forensic investigations in AWS:

We’ve built a platform to automate incident response and forensics in AWS — you can deploy it from the AWS Marketplace here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.