AWS Forensic Environment Setup


Created: 28.07.2022

First of all, data that is collected for analysis within the cloud needs to be handled properly as well.

First of all, data that is collected for analysis within the cloud needs to be handled properly as well. For this purpose a separate account is created. There are several roles there that all have different purpose and rights:

  • Responder – acquire evidence

  • Investigator – analyze evidence

  • Data custodian – manage (copy, move, delete, and expire) evidence

  • Analyst – access forensics reports for analytics, trends, and forecasting (threat intelligence)

Below are the main considerations:

  • Granting access to either the account, or assuming the role needs to be approved by the owner of the IR plan. Preferably, there should be 2 approvers for this.
  • There should be no network traffic coming from or to this account. and therefore all S3 access must be done through anΒ S3 VPC endpoint.Β 
  • VPC flow logging should be enabled at the Amazon VPC level so that there are records of all network traffic.Β 
  • Security groupsΒ should be highly restrictive, and deny all ports that aren’t related to the requirements of the forensic tools.
  • SSH and RDP access should be restricted and governed by auditable mechanisms such as aΒ bastion hostΒ configured to log all connections and activity,Β AWS Systems Manager Session Manager, or similar.
  • AMI chosen and pre-configured with industry-trusted tools. One of them would be

References

Expand … Something here