AWS solutions documentation change
Summary
Condensed architecture workflow steps into a more concise format, removed numbered list structure, and simplified image reference formatting
Security assessment
The changes primarily restructure documentation formatting without introducing new security concepts. While the content describes security-related forensic processes, the modifications focus on presentation rather than addressing vulnerabilities or adding security features. The existing security controls (isolation via security groups, forensic data handling) remain described but not fundamentally changed.
Diff
diff --git a/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md b/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md index 3ac4e5780..4028da0b8 100644 --- a//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md +++ b//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md @@ -9,2 +8,0 @@ Deploying this Guidance with the default parameters builds the following environ - - @@ -13,30 +11 @@ Deploying this Guidance with the default parameters builds the following environ - 1. Prior to running the workflow, you will need a forensic Amazon Machine Image (AMI). You can use [Amazon EC2 Image Builder](https://aws.amazon.com/image-builder/) to build a new forensic AMI or an existing forensic AMI. - - 2. AWS Step Functions leverages the forensic AMI to perform memory and disk investigation. - - 3. In the AWS application account, [AWS Config managed rules](https://aws.amazon.com/https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to [AWS Security Hub](https://aws.amazon.com/security-hub/) in the security account through their native or existing integration. - - 4. By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows. - - 5. For a specified event, EventBridge provides an instance ID for the forensics process to target, and initiates the Step Functions workflow. - - 6. Step Functions triages the request through the following approach: It first gets the instance information. It then determines if isolation is required based on the Security Hub action and if acquisition is required based on tags associated with the instance. Finally, it initiates the acquisition flow based on triaging output. - - 1. Amazon DynamoDB stores triaging details. - - 2. Two acquisition flows are initiated in parallel: The Memory Forensics Flow is a Step Functions workflow that captures the memory data and stores it in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups. To help ensure the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Isolation is initiated based on the selected Security Hub action. The Disk Forensics Flow is a Step Functions workflow that takes a snapshot of an Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account. - - 3. DynamoDB stores acquisition details. - - 4. Once the disk or memory acquisition process is complete, a notification is sent to an investigation Step Functions state machine to begin the automated investigation of the captured data. - - 5. When the Step Functions jobs are complete, DynamoDB stores the state of forensic tasks and their results. - - 7. Investigation Step Functions starts a forensic instance from an existing forensic AMI loaded with customer forensic tools. Step Functions loads the memory data from Amazon S3 for investigation, creates an EBS volume from the snapshot, and attaches the EBS volume for disk analysis. - - 8. AWS Systems Manager documents (SSM documents) run forensic investigation. - - 9. Amazon Simple Notification Service (Amazon SNS) shares investigation details with customers. - - 10. AWS AppSync can query the forensic timeline. For more details, refer to Sample AppSync API to query forensic details. - + @@ -43,0 +13 @@ Deploying this Guidance with the default parameters builds the following environ +Prior to running the workflow, you will need a forensic Amazon Machine Image (AMI). You can use [Amazon EC2 Image Builder](https://aws.amazon.com/image-builder/) to build a new forensic AMI or an existing forensic AMI. . AWS Step Functions leverages the forensic AMI to perform memory and disk investigation. . In the AWS application account, [AWS Config managed rules](https://aws.amazon.com/https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to [AWS Security Hub](https://aws.amazon.com/security-hub/) in the security account through their native or existing integration. . By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows. . For a specified event, EventBridge provides an instance ID for the forensics process to target, and initiates the Step Functions workflow. . Step Functions triages the request through the following approach: It first gets the instance information. It then determines if isolation is required based on the Security Hub action and if acquisition is required based on tags associated with the instance. Finally, it initiates the acquisition flow based on triaging output. @@ -44,0 +15 @@ Deploying this Guidance with the default parameters builds the following environ +\+ .. Amazon DynamoDB stores triaging details. .. Two acquisition flows are initiated in parallel: The Memory Forensics Flow is a Step Functions workflow that captures the memory data and stores it in Amazon Simple Storage Service (Amazon S3). Post memory acquisition, the instance is isolated using security groups. To help ensure the chain of custody, a new security group gets attached to the targeted instance and removes any access for users, admins, or developers. Isolation is initiated based on the selected Security Hub action. The Disk Forensics Flow is a Step Functions workflow that takes a snapshot of an Amazon Elastic Block Store (Amazon EBS) volume and shares it with the forensic account. .. DynamoDB stores acquisition details. .. Once the disk or memory acquisition process is complete, a notification is sent to an investigation Step Functions state machine to begin the automated investigation of the captured data. .. When the Step Functions jobs are complete, DynamoDB stores the state of forensic tasks and their results. . Investigation Step Functions starts a forensic instance from an existing forensic AMI loaded with customer forensic tools. Step Functions loads the memory data from Amazon S3 for investigation, creates an EBS volume from the snapshot, and attaches the EBS volume for disk analysis. . AWS Systems Manager documents (SSM documents) run forensic investigation. . Amazon Simple Notification Service (Amazon SNS) shares investigation details with customers. . AWS AppSync can query the forensic timeline. For more details, refer to Sample AppSync API to query forensic details.