First of all, data that is collected for analysis within the cloud needs to be handled properly as well.
First of all, data that is collected for analysis within the cloud needs to be handled properly as well. For this purpose a separate account is created. There are several roles there that all have different purpose and rights:
Responder – acquire evidence
Investigator – analyze evidence
Data custodian – manage (copy, move, delete, and expire) evidence
Analyst – access forensics reports for analytics, trends, and forecasting (threat intelligence)
Below are the main considerations:
- Granting access to either the account, or assuming the role needs to be approved by the owner of the IR plan. Preferably, there should be 2 approvers for this.
- There should be no network traffic coming from or to this account. and therefore all S3 access must be done through an S3 VPC endpoint.
- VPC flow logging should be enabled at the Amazon VPC level so that there are records of all network traffic.
- Security groups should be highly restrictive, and deny all ports that aren’t related to the requirements of the forensic tools.
- SSH and RDP access should be restricted and governed by auditable mechanisms such as a bastion host configured to log all connections and activity, AWS Systems Manager Session Manager, or similar.
- AMI chosen and pre-configured with industry-trusted tools. One of them would be