Ssh
β οΈ AWS Evidence Collection
Are there any Shadow Cloud Accounts? Could be the first place to look when investigating.
A βwithout-rebootβ snapshot is equivalent to a live acquisition, and a snapshot with a reboot is more like a traditional powered-off. Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 175). BCS Learning & Development Limited. Kindle Edition.
EC2 instance metadata
Expand …
Some sensitive information can be stored in IMDS if it’s not configured properly. T1522 (MITRE). Not the case with service-managed accounts.