Isolating EC2 Instances for Forensic Inspection

From Cramsession
Revision as of 01:48, 19 May 2025 by Mflavell (talk | contribs) (Created page with " The best eay to do this is through the creation of a forensic account. * Keeping the EC2 instacne inside the production account can be dangeriouous. :* Any malcious software could spread to other production systems. = Isolate it = * Isolate the problem instance from everything else. :* Remove it from the production network. :* Prevent access to the instance. == How to isolate == * Creare a snapshot of the instance. :* Share the snapshot with the forensic accou...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

The best eay to do this is through the creation of a forensic account.

  • Keeping the EC2 instacne inside the production account can be dangeriouous.
  • Any malcious software could spread to other production systems.

Isolate it

  • Isolate the problem instance from everything else.
  • Remove it from the production network.
  • Prevent access to the instance.


How to isolate

  • Creare a snapshot of the instance.
  • Share the snapshot with the forensic account.
  • Take a memory dump fo the insance if possible.
  • Change the security group of a instance to isolate it quickly.
  • This approach also preserves as much evidence as possible.
  • Any changes you make may appear on logs - this is bad for the investigation.
Retrieved from "https://cramsession.net/index.php?title=Isolating_EC2_Instances_for_Forensic_Inspection&oldid=943"