Why Cloud DFIR ?

Saniye Nur
11 min readApr 21, 2023


According to Forrester and Gartner Studies

  • 75% of enterprise servers are virtualized
  • With the increasing adoption of cloud computing by organizations for storing, processing, and managing their data and applications, it has become essential to have specific DFIR practices tailored for cloud-based environments.
  • 50% of all enterprises are in a cloud environment
  • Cloud computing presents unique challenges for DFIR compared to traditional on-premises environments. The distributed nature of cloud infrastructure, the use of virtualization, and the shared responsibility model between CSPs and their customers can make it more complex to investigate and respond to security incidents in the cloud. Cloud DFIR requires expertise in navigating cloud-specific technologies, understanding the different logging and monitoring mechanisms, and dealing with legal and jurisdictional issues that may arise in cloud environments.
  • Cloud adoption is growing at 4–6x the rate of on-prem
  • Organizations are subject to various compliance and regulatory requirements, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS), that mandate specific DFIR practices. Cloud DFIR plays a crucial role in helping organizations meet these requirements by providing necessary investigative and response capabilities in cloud environments and ensuring compliance with relevant regulations.
  • 60% of of all companies are using a SaaS platform
  • Cloud environments can contain critical digital evidence that can be crucial in investigations and legal proceedings. Cloud DFIR helps in preserving, collecting, and analyzing digital evidence from cloud-based systems and applications, such as log data, virtual machine snapshots, network traffic, and user activity logs, to support investigations, forensic analysis, and legal actions.
  • 74% of companies using cloud increase their cloud spend by at least 20% per year

Cloud Threats

  1. Data Breaches: The unauthorized access, theft, or leakage of data stored or transmitted in cloud computing environments is a significant threat. Data breach attacks can result in the exposure of sensitive information and privacy breaches.
  2. Identity Theft: The theft or misuse of user identities, authorizations, and access controls in cloud computing environments is a potential threat. Identity theft attacks can be used to gain unauthorized access and move laterally within the target system.
  3. Service Disruption: The disruption or reduced availability of cloud service providers’ services is a potential threat. Service disruption attacks can impact the business continuity of the target organization and render services unavailable.
  4. Malware: The infiltration and propagation of malware in cloud computing environments is a threat. Malware can cause damage to user devices, applications, or target systems, steal data, or take control of systems.
  5. Vulnerabilities and Security Flaws: Vulnerabilities and security flaws in software, hardware, or network components used by cloud service providers or target organizations can allow cyber attackers to attempt unauthorized access. Vulnerabilities and security flaws can enable attackers to gain unauthorized access and compromise systems.
  6. Account Security Weaknesses: Weak passwords, authentication challenges, or misconfigurations of accounts used in cloud computing environments can pose security vulnerabilities. Such vulnerabilities can allow attackers to compromise accounts and conduct malicious activities in the target system.
  7. Social Engineering: Social engineering techniques that deceive users, employees, or system administrators in cloud computing environments can result in unauthorized access and data breaches.

Incident Domains

  • Service
  • Infrastructure
  • Application

Service Domains

  • API calls

API (Application Programming Interface) calls are interfaces that allow a software application to communicate with other applications or services. In cloud computing environments, API calls are used to access services provided by service providers. API calls enable applications to access cloud services and perform operations such as data storage, computing, and network configuration. API calls provide developers with the ability to use and integrate cloud services, enabling automation, management, and scalability of cloud services.

  • Cloudtrail

“CloudTrail” is a service offered by AWS. AWS CloudTrail is a service used to record and monitor activities performed in your AWS account. CloudTrail records account activities, management operations, API calls, and other events, and tracks operations performed through AWS Management Console, AWS CLI (Command Line Interface), AWS SDKs (Software Development Kits), and other AWS services.

  • Unlikely to use forensic or network traffic analysis tools

Infrastructure Domains

  • Some common infrastructure domains in AWS include:
  1. Compute: This domain includes services such as Amazon EC2 (Elastic Compute Cloud), AWS Lambda, and Amazon ECS (Elastic Container Service) that enable you to create and manage virtual machines, serverless compute, and containerized applications.
  2. Storage: This domain includes services like Amazon S3 (Simple Storage Service), Amazon EBS (Elastic Block Store), and Amazon Glacier that provide scalable and durable storage options for data and backups.
  3. Database: This domain includes services such as Amazon RDS (Relational Database Service), Amazon DynamoDB, and Amazon Redshift that offer managed database solutions for relational, NoSQL, and data warehousing use cases.
  4. Networking: This domain includes services like Amazon VPC (Virtual Private Cloud), Amazon CloudFront, and Amazon Route 53 that allow you to create and manage networking components, such as virtual private networks, content delivery networks, and domain name system (DNS) routing.
  5. Security, Identity, and Compliance: This domain includes services such as AWS Identity and Access Management (IAM), Amazon CloudTrail, and AWS WAF (Web Application Firewall) that provide tools and features for securing and managing access to AWS resources, monitoring activity, and ensuring compliance with security best practices.
  6. Management and Governance: This domain includes services like AWS CloudFormation, AWS CloudWatch, and AWS Organizations that provide tools for managing and automating AWS resources, monitoring and logging, and enforcing governance policies.
  7. Application Integration: This domain includes services such as Amazon SNS (Simple Notification Service), Amazon SQS (Simple Queue Service), and Amazon Step Functions that enable you to build and manage event-driven and workflow-based applications.
  8. Developer Tools: This domain includes services like AWS CodeCommit, AWS CodeBuild, and AWS CodeDeploy that provide tools and services for developing, building, and deploying applications on AWS.
  9. Analytics: This domain includes services such as Amazon S3 Select, Amazon Athena, and Amazon QuickSight that provide analytics and business intelligence capabilities for processing, querying, and visualizing data on AWS.

Application Domains

  • Combination of Infrastructure and Service domain strategies
  • Logging outputs from software and code
  • Work with developers to continuously improve logging abilities
  • Watch for stored credentials

What is IAM ?

IAM stands for Identity and Access Management. It is a framework or a set of practices and technologies used to manage and control access to resources within an organization’s IT environment. IAM is commonly used in the context of cloud computing services, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, but it is also applicable to on-premises IT environments.

IAM involves managing and controlling access to various resources, including but not limited to, applications, systems, data, networks, and cloud services, based on the principle of least privilege.

IAM typically includes features such as user authentication, authorization, and permissions management. It allows organizations to create, manage, and control user accounts, groups, and roles, assign permissions and privileges to these accounts, and track and monitor user activity for security and compliance purposes.

IAM plays a critical role in maintaining the security and compliance of an organization’s IT environment by enabling granular control over access to resources, reducing the risk of unauthorized access, and providing audit trails for monitoring and reporting purposes. It is an essential component of overall cybersecurity and access management strategies for organizations of all sizes and across various IT environments.

Why is IAM Relevant to IR?

IAM provides credentials and user access to resource within AWS.

Therefore it is a targeted coveted resource for a threat actor to compromise.

What to do with IAM during an IR ?

  • Audit users for appropriate permissions

1-Review User Permissions: Regularly review the permissions assigned to each user account in your system.

2-Use IAM Policies

3-Monitor User Activity: Set up logging and monitoring for user activity in your AWS environment. This can include monitoring API calls, CloudTrail logs, and CloudWatch events. Regularly review and analyze these logs to identify any unauthorized or inappropriate user activity.

4-Implement Multi-Factor Authentication (MFA)

5-Conduct Regular Audits

6-Educate Users

  • Audit access logs for users accessing appropriate resources

1-Enable and Review AWS CloudTrailand: CloudTrail is a service that provides detailed logging of API calls made within your AWS environment. By enabling CloudTrail, you can capture and log API activity, including actions performed by users, to track and monitor their access to resources.

2-Define Appropriate Resource Access

3-Use AWS CloudWatch for Real-time Monitoring

4-Retain Logs for Compliance

  • Search for recently create IAM users or users with permissions assigned outside of their roles
  • Utilize Cloudtrail to analyze IAM activities

AWS (Amazon Web Services) shared responsibility model refers to the distribution of security responsibilities between AWS and its customers. In a cloud computing environment, where customers use AWS services to host their applications and data, both AWS and the customer share the responsibility for securing the overall environment.

According to the AWS shared responsibility model:

  1. AWS is responsible for the security of the cloud infrastructure, including the physical data centers, networking, and underlying services, such as compute and storage. AWS is also responsible for ensuring the availability, reliability, and scalability of its services.
  2. Customers are responsible for the security of their applications, data, operating systems, and any other software they deploy on AWS. Customers are also responsible for configuring and managing their own AWS resources, such as virtual machines, databases, and networking settings.

In other words, AWS provides a secure and compliant infrastructure, but customers are responsible for securing their own applications, data, and configurations within the AWS environment. This shared responsibility model helps ensure that security measures are in place at both the infrastructure level (by AWS) and the application/data level (by customers) to create a secure overall environment.

It’s important for customers to understand their responsibilities and take appropriate security measures, such as implementing access controls, encryption, and monitoring, to protect their applications and data within the AWS environment. AWS provides various security services and features that customers can use to enhance the security of their applications and data, but ultimately, customers are responsible for configuring and managing these security measures based on their specific requirements and compliance obligations.

AWS Tools

  • AWS Guard Duty
  • AWS Security Hub
  • Amazon Detective
  • Amazon Macie
  • AWS Inspector
  • Redirecting AWS

AWS Guard Guty

  • AWS GuardDuty is a security service provided by Amazon Web Services (AWS). It can be used to detect and prevent security threats in AWS cloud environments. Utilizing artificial intelligence and machine learning techniques, AWS GuardDuty monitors for abnormal activities in AWS accounts, services, and resources, and applies various analytical methods to detect security threats.
  • AWS GuardDuty provides protection against potential threats such as:
  1. Malware: AWS GuardDuty protects against malware threats such as computer viruses, trojans, worms, etc., by detecting malicious software activities.
  2. Account compromises: AWS GuardDuty detects security breaches related to account security, such as cross-account access, unauthorized login attempts, and identity theft.
  3. Network attacks: AWS GuardDuty monitors network traffic to detect network attacks such as attack attempts from unknown IP addresses, network scanners, port scans, etc.
  4. Data breaches: AWS GuardDuty detects data breaches, preventing accidental or intentional sharing or leakage of sensitive data.

AWS GuardDuty provides alerts and events about detected security threats, and can be integrated with AWS Management Console, AWS CLI, AWS SDK, and other methods. It helps customers make their cloud environments more secure and serves as an effective security measure to keep AWS accounts safe.

AWS Security Hub

  • AWS Security Hub is a security service provided by Amazon Web Services (AWS). It can be used to centrally monitor, assess, and report on the security posture of AWS accounts. AWS Security Hub utilizes various security checks and integrations to automatically detect security threats, attack methods, and security incidents in AWS accounts.
  • AWS Security Hub provides a detailed view of security events in AWS accounts, including the following features:
  1. Common Security Controls: AWS Security Hub automatically assesses compliance checks for various security services and features in AWS accounts and consolidates the results, providing an overview to quickly understand and improve the security posture.
  2. Automated Threat Detection: AWS Security Hub consolidates threat detection results from services such as AWS GuardDuty, Amazon Inspector, and other AWS security services. This allows for instant alerts about potential security threats and vulnerabilities.
  3. Third-Party Integrations: AWS Security Hub also supports integrations with third-party security tools for security checks. Through integrations provided by various security partners, you can view results from different security tools in a central location.
  4. Compliance Assessments: AWS Security Hub can assess and report on compliance with various regulations (e.g., PCI DSS, CIS AWS Foundations Benchmark, HIPAA, GDPR, etc.) using compliance checks.
  5. Visualization and Reporting: AWS Security Hub offers a user-friendly interface, rich reporting features, and integrated analytics tools for better understanding of security posture and generating effective reports for administrators and security teams.

AWS Security Hub is a unified security service to monitor the security posture of AWS accounts and effectively manage security events.

Amazon Detective

Amazon Detective is a security service provided by Amazon Web Services (AWS) that offers an advanced analytics platform for analyzing, detecting, and investigating security events and threats in AWS accounts.

Amazon Detective automatically collects, analyzes, and visualizes security events from services such as AWS CloudTrail, Amazon VPC Flow Logs, and Amazon GuardDuty in AWS accounts.

  • Can ingest and correlate logs from CloudTrail, VPC Flows, GuardDuty
  • Drill down into relevant activities

Amazon Macie

Amazon Macie is a security service provided by Amazon Web Services (AWS) that is used to automatically discover, classify, and detect sensitive data in data stored in AWS accounts.

Amazon Macie automatically accesses data stored in AWS cloud storage services (such as Amazon S3) and analyzes the data to identify sensitive data types (such as credit card numbers, social security numbers, health data, etc.) and sensitive data patterns (such as email addresses, phone numbers, etc.). It also allows users to define their own custom data patterns or templates.

  • Will search for Pll to comply privacy regulators such as




  • Allows for custom searches Continually evaluates s3 environments

AWS Inspector

AWS Inspector is a security service offered by Amazon Web Services (AWS). AWS Inspector is used to assess the security of applications and systems in AWS accounts, identify security vulnerabilities, and provide remediation recommendations.

AWS Inspector is an agent-based service for conducting security assessments. AWS Inspector agents can be deployed on Amazon EC2 instances, on-premises servers, or virtual machines to perform security scans on applications and systems running on these resources.

  • Monitors operating systems for security vulnerabilities and risky applications
  • Agent based deployment to operating systems

Rules for

+ Network Reachability

+ Common Vulnerabilities

+CIS Benchmarks

+ AWS best practices

  • It can send findings to CloudWatch and Security Hub

Next article will talk about EC2 Incident Response and Forensic Analysis, Margarita Shotgun, a Remote Memory Acquisition Tool, aws_ir tool.

Stay tuned..