Daily Blog #703: Looking back at AWS EBS Direct Block access API

Looking back at AWS EBS Direct Block access API

 

 Hello Reader,

         It's been awhile! I've ... been busy? It's hard to describe the last 16 months prior to his daily blog other than a series of career defining events in my 'leveling up' at KPMG along with the launch of my new SANS Class FOR509: Enterprise Cloud Incident Response and Forensics! 

 

Oh and there was that collab with Crowdstrike (https://www.youtube.com/watch?v=7DHb1gzF5o4)


So yeah, little busy. 


But! That doesn't mean I haven't wanted to go back to posting, sharing and pushing myself to learn more. It should come as no surprise that a lot of what I've been researching has been less operating system focus and more cloud focused. So today let's talk about interesting ways to access snapshots. 


This whole discussion came out of teaching FOR509 in DC (shout out to my CDI students!). You see in Azure when you make a snapshot you can download it/copy it/access it as a VHD without restoring it to another volume (I'll post about this tomorrow) but within AWS there is no ability to download a snapshot as an image from any of the standard EBS calls. (If you know of a way to do this in AWS other than direct block access please let me know!)


In discussing this with others they brought up an interesting use case for the direct block access api I didn't think of! While I was nerding out thinking about using this API as rapid triage tool to read file systems without accessing entire snapshots, others have realized you can access every block to create an image of the snapshot! This would allow you to fully download a snapshot (either in the cloud or on prem) and store it into a dd file without having to restore it. I'll be writing a script to do this and I'll post here (would make a good blog post!) on the blog and put it into our FOR509 github (https://github.com/dlcowen/sansfor509) which contains all the cloud  provider related scripts we are creating for the class. 


So I hope you found this interesting, I certainly did, and find some use for this in your investigation!


Read more about the AWS Direct Block Access API here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-accessing-snapshot.html

Also Read: Daily Blog #702