AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-05-10 · Documentation low

File: solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md

Summary

Updated architecture documentation with revised workflow steps, forensic AMI requirements, isolation mechanisms, and evidence handling details

Security assessment

The changes enhance documentation of security controls like instance isolation via security groups, forensic evidence chain of custody, and integration with security services (GuardDuty/Security Hub). While these are security-related features, there's no indication they address a specific newly discovered vulnerability.

Diff

diff --git a/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md b/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
index d2fbb04be..3ac4e5780 100644
--- a//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
+++ b//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
@@ -7 +7 @@
-Deploying this solution with the default parameters builds the following environment in the AWS Cloud. 
+Deploying this Guidance with the default parameters builds the following environment in the AWS Cloud. 
@@ -9 +9 @@ Deploying this solution with the default parameters builds the following environ
-![Automated Forensics Orchestrator for Amazon EC2 architecture diagram](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/automated-forensics-orchestrator-arch-diagram.png)
+![Automated Forensics Orchestrator for Amazon EC2 architecture diagram](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/automated-forensics-orchestrator-for-amazon-ec2.png)
@@ -13 +13 @@ Deploying this solution with the default parameters builds the following environ
-  1. In the AWS application account, AWS Config Rule, [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to Amazon EC2 resources. For example, an EC2 instance is querying a low reputation domain name that is associated with known abused domains. The findings are sent to AWS Security Hub in the security account via their native or existing integration. 
+  1. Prior to running the workflow, you will need a forensic Amazon Machine Image (AMI). You can use [Amazon EC2 Image Builder](https://aws.amazon.com/image-builder/) to build a new forensic AMI or an existing forensic AMI. 
@@ -15 +15 @@ Deploying this solution with the default parameters builds the following environ
-  2. By default, all [AWS Security Hub](https://aws.amazon.com/security-hub/) findings are then sent to [Amazon EventBridge](https://aws.amazon.com/eventbridge/) to invoke automated downstream workflows. 
+  2. AWS Step Functions leverages the forensic AMI to perform memory and disk investigation. 
@@ -17 +17 @@ Deploying this solution with the default parameters builds the following environ
-  3. For a specified event, Amazon EventBridge provides an instance ID for the forensics process to target, and initiates the [AWS Step Functions](https://aws.amazon.com/step-functions/) workflow. 
+  3. In the AWS application account, [AWS Config managed rules](https://aws.amazon.com/https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to [AWS Security Hub](https://aws.amazon.com/security-hub/) in the security account through their native or existing integration. 
@@ -19 +19 @@ Deploying this solution with the default parameters builds the following environ
-  4. AWS Step Functions triages the request as follows: 
+  4. By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows. 
@@ -21 +21 @@ Deploying this solution with the default parameters builds the following environ
-    1. Gets the instance information 
+  5. For a specified event, EventBridge provides an instance ID for the forensics process to target, and initiates the Step Functions workflow. 
@@ -23 +23 @@ Deploying this solution with the default parameters builds the following environ
-    2. Determines if isolation is required based on the AWS Security Hub action 
+  6. Step Functions triages the request through the following approach: It first gets the instance information. It then determines if isolation is required based on the Security Hub action and if acquisition is required based on tags associated with the instance. Finally, it initiates the acquisition flow based on triaging output. 
@@ -25 +25 @@ Deploying this solution with the default parameters builds the following environ
-    3. Determines if acquisition is required based on tags associated with the instance 
+    1. Amazon DynamoDB stores triaging details. 
@@ -27 +27 @@ Deploying this solution with the default parameters builds the following environ
-    4. Initiates the acquisition flow based on triaging output 
+    2. Two acquisition flows are initiated in parallel: The Memory Forensics Flow is a Step Functions workflow that captures the memory data and stores it in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups. To help ensure the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Isolation is initiated based on the selected Security Hub action. The Disk Forensics Flow is a Step Functions workflow that takes a snapshot of an Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account. 
@@ -29 +29 @@ Deploying this solution with the default parameters builds the following environ
-  5. Triaging details are stored in [Amazon DynamoDB](https://aws.amazon.com/dynamodb/). 
+    3. DynamoDB stores acquisition details. 
@@ -31 +31 @@ Deploying this solution with the default parameters builds the following environ
-  6. The following two acquisition flows are initiated in parallel: 
+    4. Once the disk or memory acquisition process is complete, a notification is sent to an investigation Step Functions state machine to begin the automated investigation of the captured data. 
@@ -33 +33 @@ Deploying this solution with the default parameters builds the following environ
-    1. _Memory forensics flow_ \- The AWS Step Function workflow captures the memory data and stores them in [Amazon S3](https://aws.amazon.com/s3/). Post memory acquisition, the instance is isolated using security groups. To help ensure the chain of custody, a new security group gets attached to the targeted instance, and removes any access for users, admins, or developers. Note that isolation is initiated based on the selected AWS Security Hub action. 
+    5. When the Step Functions jobs are complete, DynamoDB stores the state of forensic tasks and their results. 
@@ -35 +35 @@ Deploying this solution with the default parameters builds the following environ
-    2. _Disk forensics flow_ \- The AWS Step Function workflow takes snapshot of the EBS volume, and shares it with the forensic account. 
+  7. Investigation Step Functions starts a forensic instance from an existing forensic AMI loaded with customer forensic tools. Step Functions loads the memory data from Amazon S3 for investigation, creates an EBS volume from the snapshot, and attaches the EBS volume for disk analysis. 
@@ -37 +37 @@ Deploying this solution with the default parameters builds the following environ
-  7. Acquisition details are stored in DynamoDB. 
+  8. AWS Systems Manager documents (SSM documents) run forensic investigation. 
@@ -39 +39 @@ Deploying this solution with the default parameters builds the following environ
-  8. Once the disk or memory acquisition process is complete, and the evidence has been captured successfully, a notification is sent to an investigation Step Function state machine to begin the automated investigation of the captured data. 
+  9. Amazon Simple Notification Service (Amazon SNS) shares investigation details with customers. 
@@ -41,17 +41 @@ Deploying this solution with the default parameters builds the following environ
-  9. Investigation Step Function starts forensic instance from forensic AMI loaded with customer forensic tools: 
-
-    1. Loads the memory data from S3 for memory investigation 
-
-    2. Creates an EBS volume from the snapshot and attaches the EBS volume for disk analysis 
-
-  10. AWS Systems Manager documents (SSM documents) are used to run forensic investigation. 
-
-  11. Amazon DynamoDB stores the state of forensic tasks as well as their result when the jobs are complete. Investigation job details are stored in DynamoDB. 
-
-  12. Investigation details are shared with customers using the [Amazon Simple Notification Service](https://aws.amazon.com/sns/) (Amazon SNS). 
-
-  13. [EC2 Image Builder](https://aws.amazon.com/image-builder/) builds the Forensic Amazon Machine Images (AMI). Note: You can also use an existing forensic AMI. 
-
-  14. Forensic AMI is leveraged by investigation Step Functions to perform memory and disk investigation. 
-
-  15. The Forensic timeline can be queried using [AWS AppSync](https://aws.amazon.com/appsync/). For more details, refer to [Sample AppSync API to query forensic details](./sample-appsync-api-to-query-forensic-details.html). 
+  10. AWS AppSync can query the forensic timeline. For more details, refer to Sample AppSync API to query forensic details. 
@@ -74 +58 @@ Cost
-Solution components
+Guidance components