Isolating EC2 Instances for Forensic Inspection: Difference between revisions
From Cramsession
Jump to navigationJump to search
✍️ Verified Author: Mflavell • Click to view professional profile & credentials
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Study Guides]] > [[AWS Cybersecurity Notes]] > Isolating EC2 Instances for Forensic Inspection | [[Study Guides]] > [[AWS Cybersecurity Notes]] > Isolating EC2 Instances for Forensic Inspection | ||
The best eay to do this is through the creation of a forensic account. | The best eay to do this is through the creation of a forensic account. | ||
Latest revision as of 01:51, 19 May 2025
Study Guides > AWS Cybersecurity Notes > Isolating EC2 Instances for Forensic Inspection
The best eay to do this is through the creation of a forensic account.
- Keeping the EC2 instacne inside the production account can be dangeriouous.
- Any malcious software could spread to other production systems.
Isolate it
- Isolate the problem instance from everything else.
- Remove it from the production network.
- Prevent access to the instance.
How to isolate
- Creare a snapshot of the instance.
- Share the snapshot with the forensic account.
- Take a memory dump fo the insance if possible.
- Change the security group of a instance to isolate it quickly.
- This approach also preserves as much evidence as possible.
- Any changes you make may appear on logs - this is bad for the investigation.
