Cloud DFIR -2-

Saniye Nur
8 min readJun 11, 2023

We said “Next article will talk about EC2 Incident Response and Forensic Analysis, Margarita Shotgun, a Remote Memory Acquisition Tool, aws_ir tool.”

Let’s continue.

  • Every EC2 (Elastic Compute Cloud) instance in Amazon Web Services (AWS) consists of a root volume. The root volume is the primary storage device attached to an EC2 instance, and it contains the operating system and any applications or software installed on the instance. The root volume is typically an Amazon Elastic Block Store (EBS) volume, which provides persistent block-level storage.
  • When you launch an EC2 instance, you can specify the size and type of the root volume. You can also choose whether the root volume should be deleted when the instance is terminated or if it should be kept as a separate EBS volume. By default, the root volume is deleted when the instance is terminated.
  • It’s worth noting that in addition to the root volume, you can attach additional EBS volumes or instance store volumes to an EC2 instance for storing data or providing additional storage capacity.
  • Capable of snapshotting an instance while running. But sometimes To create a snapshot of an EBS volume, you need to stop the instance or ensure that the data on the volume is in a consistent state. It’s recommended to stop the instance before taking a snapshot to ensure data integrity. Once the instance is stopped, you can create a snapshot of the desired EBS volume associated with the instance.
  • The utilization of tagging for record keeping is important in AWS. Tags are key-value pairs that you can assign to AWS resources, including EC2 instances, EBS volumes, S3 buckets, and more. Tags provide metadata that can be used for organizing, categorizing, and managing your resources effectively.
  • Tagging is beneficial for record keeping in several ways:
  1. Identifying and grouping resources: By assigning tags to your resources, you can easily identify and group them based on specific criteria. For example, you can tag instances based on their environment (production, development, staging), department, project, or any other relevant attribute. This helps in better resource management and tracking.
  2. Cost allocation: Tags are instrumental in cost allocation and budgeting. You can assign tags to your resources to track usage and costs associated with different projects, teams, or departments. This enables you to analyze and manage your AWS spending more efficiently.
  3. Resource lifecycle management: Tags can be used to track the lifecycle of your resources. For example, you can use tags to mark resources for review, retirement, or specific maintenance tasks. This helps in monitoring and maintaining resources in a structured manner.
  4. Automation and policy enforcement: Tags can be leveraged for automation and policy enforcement purposes. AWS provides tools like AWS Resource Groups and AWS Identity and Access Management (IAM) policies that allow you to use tags to automate resource management tasks and enforce policies based on tag values.
  5. By consistently and thoughtfully using tags, you can improve visibility, organization, and governance over your AWS resources. It enables you to track and manage resources more effectively, leading to better operational efficiency and cost optimization.
  • To isolate an EC2 instance in AWS, you can implement several measures to restrict network access and control its interactions with other resources. Here are some common methods for isolating an EC2 instance:
  1. Security Groups: Security groups act as virtual firewalls that control inbound and outbound traffic for EC2 instances. By configuring security group rules, you can define specific protocols, ports, and IP ranges that are allowed to access the instance. By restricting access to only necessary ports and sources, you can isolate the instance from unwanted network traffic.
  2. Network Access Control Lists (ACLs): Network ACLs operate at the subnet level and provide an additional layer of network security. You can define rules in ACLs to allow or deny inbound and outbound traffic based on IP addresses, protocols, and ports. Using ACLs in conjunction with security groups can help enforce network isolation.
  3. Private Subnets: Placing an EC2 instance in a private subnet ensures that it is not directly accessible from the internet. Private subnets do not have a route to an internet gateway, preventing inbound access from external sources. You can control access to private instances by using a bastion host or VPN to establish secure connections for management purposes.
  4. VPC Peering and Transit Gateway: If you have multiple VPCs in your AWS environment, you can isolate an EC2 instance by setting up VPC peering or using AWS Transit Gateway. These services allow secure communication between VPCs while keeping the instances isolated from other VPCs.
  5. Instance-level Firewalls: You can configure software firewalls on the EC2 instance itself to further restrict network traffic. For example, you can use the built-in firewall (iptables) in Linux instances or Windows Firewall in Windows instances to control inbound and outbound connections.
  6. IAM Roles and Policies: Implementing strict Identity and Access Management (IAM) roles and policies can limit access to resources and services from the EC2 instance. By granting only necessary permissions, you can isolate the instance from unauthorized actions and ensure least privilege access.

By combining these methods, you can effectively isolate an EC2 instance within your AWS infrastructure, restricting network access and controlling interactions with other resources based on your specific requirements.

Let’s go into EC2 and click on Instance ID.

This Security Group ID is saved somewhere, you will need it shortly.

We talked about VPC. I also save the VPC ID.

I say Create Security Group and exit.
Then I need to activate it by saying Run.

Then I say change security group from dashboard.

I click save and exit.
Now let’s look at creating snapshots.

I enter the Instance ID of the machine I just isolated, write a description and say create snapshot.

Done. Now we need to create the volume.

I usually leave Volume type, zone vs Default to you. You can enter Key and Value as you want.

Under Volume, there are volumes that we have created and completed.
Now let’s connect to a machine.

Here it also gives user and password information, of course, I click connect with that information.

We are connected to the machine. Now I need an FTK Imager.
I do not go into the details of creating images with FTK here.

Margaritashotgun is a part of the Threat Response project. Command line utility that works with or without Amazon EC2 instances to parallelize remote memory acquisition.

I share with you the userguide with everything related to the margaritashotgun inside:

https://margaritashotgun.readthedocs.io/en/latest/user_guide.html?highlight=managing#user-guide

aws_ir

AWS_IR automates your incident response with zero security preparedness assumptions. It can handle key and host compromises and collects all pertinent data in an S3 bucket along with the ThreatResponse Web workstation.

The term AWS_IR (AWS Incident Response) refers to the processes and applications of incident response within the Amazon Web Services (AWS) cloud platform. AWS_IR is an approach and service designed to enhance an organization’s capabilities to respond to incidents and security breaches that may occur within their AWS infrastructure.

AWS_IR encompasses important components such as detecting security incidents, responding to events, analyzing incidents, and implementing response plans. It provides a set of best practices and methods to quickly identify security events and breaches within the AWS infrastructure, intervene, and resolve issues.

This service offers guidance to AWS customers in responding rapidly and effectively to security incidents. AWS_IR includes a series of processes and tools that help security teams quickly detect events, coordinate responses, isolate affected systems, and make improvements.

AWS_IR can utilize data from AWS services such as AWS CloudTrail, Amazon GuardDuty, and AWS Config to detect security incidents. It also provides automated response and remediation capabilities using services like Amazon CloudWatch and AWS Lambda.

In general, AWS_IR is a service and approach designed to improve incident response processes within the AWS infrastructure and effectively respond to security incidents.

Reference

https://www.threatresponse.cloud/

https://www.manageengine.com/log-management/amazon-vpc-security-groups.html

https://www.cybertriage.com/blog/cloud-forensics/cyber-triage-on-aws-dfir-in-the-cloud-forensics/

https://awesomedfir.com/incident-response-in-the-cloud

--

--