Sunday, March 17, 2019

Daily Blog #645: Solution Saturday 3/16/19

Hello Reader,
         Spring break is ending which means kids are going back to school soon and I'll be back on track with blogging. Here is this weeks winner!

The Challenge:
Name and describe all of the available forensic data sources provided by Amazon AWS for EC2

The Winning Answer:
Jonathan Yan

CloudTrail Logs
Cloudtrail is an audit log that is enabled by default and stores all actions on resources for an account for 90 days. For EC2 specifically, it can provide information on the user and the action they performed on a specific resource such as EC2 KeyPairs, NetworkAcl, SecurityGroup, Snapshot to see if any suspicious changes were made.
cloudtrail-start-stop-instance.png
EBS (Elastic Block Store) Snapshots
Elastic Block Store are the hard drives that EC2 instances use to store data on. Snapshots can be taken of the EBS of a compromised and mounted onto a trusted EC2 instance for forensic investigation. These snapshots can be taken regularly as part of backups or whilst responding to an incident. Note that the ownership of snapshots can be assigned to another AWS account to ensure they cannot be modified by anyone with permissions over a compromised account.
EBS.png

VPC Flow Logs
VPC Flow logs are a record of ip traffic to and from network interfaces within a Virtual Private Cloud (VPC), which is the segregated network that EC2 instances reside in. It can provide a trail of all network traffic to and from each EC2 instance. However, this has to be enabled per VPC and then sent to AWS CloudWatch or stored in an AWS S3 bucket, where it can then be analysed.
vpc-flow-logs.png
AWS Systems Manager
AWS Systems Manager is a utility that can be enabled as an AWS agent on an EC2 instance to record all the installed software, network configurations, CPU data, windows patch versions, specific windows registry keys and files. It could be useful for a first glance while in the console, but this has to be enabled and configured correctly before an incident occurs to provide value. Additionally, information shown here can be found during forensic investigation of EBS volume.
aws-system-manager-auditing.png
AWS Inspector
AWS Inspector is a vulnerability scanning platform that can identify vulnerabilities in applications running on EC2 instances. If enabled and configured, it could be useful during forensic investigations to narrow down which vulnerabilities may have been exploited on a host.
Cheers,

No comments:

Post a Comment