AWS CLI
β οΈ AWS Evidence Collection
Are there any Shadow Cloud Accounts? Could be the first place to look when investigating.
A βwithout-rebootβ snapshot is equivalent to a live acquisition, and a snapshot with a reboot is more like a traditional powered-off. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 175). BCS Learning & Development Limited. Kindle Edition.
EC2 instance metadata
Expand …
Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.
AWS Configuration
Default Configurations
By default, SSH 22 and RDP 3389 are closed, but these are suggested to be opened when creaing them, warning how dangeroud this is. What’s traffic mirroring? Using this functionality with open-source tools.
Custom Config
If SSM is enabled (System Manager Service), then activity is logged in CloudTrail. At least, AmazonSSMManagedInstanceCore needs to be attached to the instance profile role. Look at the policies and which users are granted the access. Also, commands run can be also restricted.