AWS Incident Response and Forensics

Acquiring an EC2 Instance

  1. Make snapshots of the volumes attached to the compromised instance
  2. Attach the snapshots to another instance for analysis, and mount them
margaritashotgun — server 172.1.0.10 — username root — key root_access.pem — module lime-3.13.0–74-generic.ko — filename 172.1.0.10-mem.lime

Responding

aws iam update-access-key --access-key-id EXAMPLE 
--status Inactive --user-name user

--

--

--

https://www.cadosecurity.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Functional Programming With Java: What’s in the Box

Install cypress.io dependencies on Amazon Linux AMI ec2 instance

Must Read Books for SysAdmins

Set a timer for automatically shutting Windows PC down.

How I test with Apache Spark?

What is wrong with Gradle?

Enabling Remote Connection To MSSQL Server On Plesk Server

My Most Important Learning from Cron Jobs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Forensic Labs

Forensic Labs

https://www.cadosecurity.com/

More from Medium

AWS VPCs Peering:

Finding Medical PII Exposed on AWS S3 Buckets

(Part 2) How to evaluate your cloud security posture

Cloud Security: Common attacks