AWS prescriptive-guidance documentation change
Summary
Formatting and terminology updates including service name consistency (e.g., 'EC2' -> 'Amazon EC2'), section removal for 'Target technology stack', and documentation clarity improvements
Security assessment
Changes focus on terminology standardization (e.g., expanding SNS/S3 acronyms) and structural edits without introducing new security controls or addressing vulnerabilities. The IAM permission removal process mentioned was already present and only received terminology updates.
Diff
diff --git a/prescriptive-guidance/latest/patterns/automate-incident-response-and-forensics.md b/prescriptive-guidance/latest/patterns/automate-incident-response-and-forensics.md index 4ee644008..2c9e9b227 100644 --- a//prescriptive-guidance/latest/patterns/automate-incident-response-and-forensics.md +++ b//prescriptive-guidance/latest/patterns/automate-incident-response-and-forensics.md @@ -17 +17 @@ This pattern deploys a set of processes that use AWS Lambda functions to provide - * Automated, repeatable processes that are aligned with the AWS Security Incident Response Guide + * Automated, repeatable processes that are aligned with the _AWS Security Incident Response Guide_ @@ -55 +55 @@ For more details, see the Additional information section. - * The Amazon Elastic Compute Cloud (Amazon EC2) role must have Get and List access to Amazon Simple Storage Service (Amazon S3) and be accessible by AWS Systems Manager. We recommend using the `AmazonSSMManagedInstanceCore` AWS managed role. Note that this role will automatically be attached to the EC2 instance when incident response is initiated. After the response has finished, AWS Identity and Access Management (IAM) will remove all rights to the instance. + * The Amazon Elastic Compute Cloud (Amazon EC2) role must have Get and List access to Amazon Simple Storage Service (Amazon S3) and be accessible by AWS Systems Manager. We recommend using the `AmazonSSMManagedInstanceCore` AWS managed role. Note that this role will automatically be attached to the Amazon EC2 instance when incident response is initiated. After the response has finished, AWS Identity and Access Management (IAM) will remove all rights to the instance. @@ -59 +59 @@ For more details, see the Additional information section. - * AWS Command Line Interface (AWS CLI) installed on the EC2 instances. If the EC2 instances don’t have AWS CLI installed, internet access will be required for the disk snapshot and memory acquisition to work. In this case, the scripts will reach out to the internet to download the AWS CLI installation files and will install them on the instances. + * AWS Command Line Interface (AWS CLI) installed on the Amazon EC2 instances. If the Amazon EC2 instances don’t have AWS CLI installed, internet access will be required for the disk snapshot and memory acquisition to work. In this case, the scripts will reach out to the internet to download the AWS CLI installation files and will install them on the instances. @@ -75,25 +74,0 @@ For more details, see the Additional information section. -**Target technology stack** - - * AWS CloudFormation - - * AWS CloudTrail - - * AWS Config - - * IAM - - * Lambda - - * Amazon S3 - - * AWS Key Management System (AWS KMS) - - * AWS Security Hub - - * Amazon Simple Notification Service (Amazon SNS) - - * AWS Step Functions - - - - @@ -125 +100 @@ The following diagram shows the member account. -1\. An event is sent to the Slack Amazon SNS topic. +1\. An event is sent to the Slack Amazon Simple Notification Service (Amazon SNS) topic. @@ -131 +106 @@ The following diagram shows the Security account. -2\. The SNS topic in the Security account initiates Forensics events. +2\. The Amazon SNS topic in the Security account initiates Forensics events. @@ -137 +112 @@ The following diagram shows the Forensics account. -The Security account is where the two main AWS Step Functions workflows are created for memory and disk image acquisition. After the workflows are running, they access the member account that has the EC2 instances involved in an incident, and they initiate a set of Lambda functions that will gather a memory dump or a disk dump. Those artifacts are then stored in the Forensics account. +The Security account is where the two main AWS Step Functions workflows are created for memory and disk image acquisition. After the workflows are running, they access the member account that has the Amazon EC2 instances involved in an incident, and they initiate a set of Lambda functions that will gather a memory dump or a disk dump. Those artifacts are then stored in the Forensics account. @@ -139 +114 @@ The Security account is where the two main AWS Step Functions workflows are crea -The Forensics account will hold the artifacts gathered by the Step Functions workflow in the Analysis artifacts S3 bucket. The Forensics account will also have an EC2 Image Builder pipeline that builds an Amazon Machine Image (AMI) of a Forensics instance. Currently, the image is based on SANS SIFT Workstation. +The Forensics account will hold the artifacts gathered by the Step Functions workflow in the Analysis artifacts Amazon S3 bucket. The Forensics account will also have an Amazon EC2 Image Builder pipeline that builds an Amazon Machine Image (AMI) of a Forensics instance. Currently, the image is based on SANS SIFT Workstation. @@ -141 +116 @@ The Forensics account will hold the artifacts gathered by the Step Functions wor -The build process uses the Maintenance VPC, which has connectivity to the internet. The image can be later used for spinning up the EC2 instance for analysis of the gathered artifacts in the Analysis VPC. +The build process uses the Maintenance VPC, which has connectivity to the internet. The image can be later used for spinning up the Amazon EC2 instance for analysis of the gathered artifacts in the Analysis VPC. @@ -143 +118 @@ The build process uses the Maintenance VPC, which has connectivity to the intern -The Analysis VPC does not have internet connectivity. By default, the pattern creates three private analysis subnets. You can create up to 200 subnets, which is the quota for the number of subnets in a VPC, but the VPC endpoints need to have those subnets added for AWS Systems Manager Sessions Manager to automate running commands in them. +The Analysis VPC does not have internet connectivity. By default, the pattern creates three private analysis subnets. You can create up to 200 subnets, which is the quota for the number of subnets in a VPC, but the VPC endpoints need to have those subnets added for AWS Systems Manager Session Manager to automate running commands in them. @@ -170 +145 @@ The following diagram shows the key steps of a workflow that includes the proces - 3. Tag the EC2 instance with the `Contain` tag. + 3. Tag the Amazon EC2 instance with the `Contain` tag. @@ -185 +160 @@ The intent of this pattern is to provide a scalable solution to perform incident -**AWS Services** +**AWS services** @@ -189 +164 @@ The intent of this pattern is to provide a scalable solution to perform incident - * [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open-source tool for interacting with AWS services through commands in your command-line shell. + * [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) is an open source tool for interacting with AWS services through commands in your command-line shell. @@ -220 +195 @@ Deploy CloudFormation templates.| The CloudFormation templates are marked 1 thro - * `1-forensic-AnalysisVPCnS3Buckets.yaml`: Deployed in the forensics account. It creates the S3 buckets and the Analysis VPC, and it activates CloudTrail. + * `1-forensic-AnalysisVPCnS3Buckets.yaml`: Deployed in the forensics account. It creates the Amazon S3 buckets and the Analysis VPC, and it activates CloudTrail. @@ -228 +203 @@ Deploy CloudFormation templates.| The CloudFormation templates are marked 1 thro -To initiate the incident response framework for a specific EC2 instance, create a tag with the key `SecurityIncidentStatus` and the value `Analyze`. This will initiate the member Lambda function that will automatically start isolation and memory as well as disk acquisition.| AWS administrator +To initiate the incident response framework for a specific Amazon EC2 instance, create a tag with the key `SecurityIncidentStatus` and the value `Analyze`. This will initiate the member Lambda function that will automatically start isolation and memory as well as disk acquisition.| AWS administrator