AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-06-28 · Documentation low

File: solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/forensic-memory-and-disk-acquisition-service.md

Summary

Restructured documentation layout and formatting for forensic acquisition workflow, consolidating numbered steps into paragraph form while maintaining technical content about memory dump handling and EC2 isolation processes

Security assessment

The changes primarily reorganize existing security documentation about forensic processes (memory acquisition, S3 storage with metadata tags, EC2 isolation via security groups) but don't introduce new security fixes or vulnerabilities. The content maintains security-focused descriptions of incident response procedures.

Diff

diff --git a/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/forensic-memory-and-disk-acquisition-service.md b/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/forensic-memory-and-disk-acquisition-service.md
index c5b102122..124fefff9 100644
--- a//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/forensic-memory-and-disk-acquisition-service.md
+++ b//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/forensic-memory-and-disk-acquisition-service.md
@@ -15 +15 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
-![Forensic memory disk acquisition, interaction step](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/forensic-memory-disk-acquisition-interaction.png)
+**"Forensic memory disk acquisition**
@@ -17 +17 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
-**Forensic memory disk acquisition - interaction step**
+![interaction step"](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/forensic-memory-disk-acquisition-interaction.png)
@@ -21,27 +21 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
-![Memory forensics acquisition workflow implementation.](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/memory-forensics-acquisition-workflow-implementation.png)
-
-**Memory forensics acquisition workflow - implementation**
-
-  1. The _Forensic triage_ Step Function initiates the _memory acquisition_ flow. 
-
-  2. The _Memory acquisition_ Lambda function in workflow leverages the SSM command to run SSM document in the compromised instance. 
-
-  3. The _Memory acquisition_ Lambda function assumes a role in the application account and passes the SSM document to be run along with credentials to copy the memory dump into an S3 bucket. 
-
-  4. AWS Systems Manager runs a memory acquisition document via the Run Command. 
-
-     * The memory dump is stored in an S3 bucket of the forensic account. 
-
-     * The memory dump has associated meta data tags to indicate the underlying OS and kernel the dump is associated with, assisting the _memory analysis flow_ further downstream. 
-
-  5. The _Check memory acquisition_ Lambda function checks for SSM Run Command to be completed. 
-
-  6. If the response from SSM Run Command status is `Pending` or `Delayed` or `In Progress`, it waits for 120 seconds. 
-
-  7. If the response from SSM Run Command status is `Success`, it checks if isolation is needed. 
-
-  8. If **isolation** is set to `true`, then the Lambda function assumes role into the application account and attaches a security group with no egress and ingress security group, and detaches the existing security group. Isolation is set to `true` during the triaging phase based on security event type.
-
-  9. This initiates investigation flow with forensic type as `MEMORY`. 
-
-  10. If any error occurs during the memory acquisition process, the EC2 instance isolation will be performed based on the `isolation` flag. 
+**Memory forensics acquisition workflow implementation**
@@ -48,0 +23 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
+![memory forensics acquisition workflow implementation](/images/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/images/memory-forensics-acquisition-workflow-implementation.png)
@@ -49,0 +25 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
+The _Forensic triage_ Step Function initiates the _memory acquisition_ flow. . The _Memory acquisition_ Lambda function in workflow leverages the SSM command to run SSM document in the compromised instance. . The _Memory acquisition_ Lambda function assumes a role in the application account and passes the SSM document to be run along with credentials to copy the memory dump into an S3 bucket. . AWS Systems Manager runs a memory acquisition document via the Run Command.
@@ -50,0 +27 @@ Isolation of EC2 instance is done based on the Security Hub action event types -
+\+ **The memory dump is stored in an S3 bucket of the forensic account.** The memory dump has associated meta data tags to indicate the underlying OS and kernel the dump is associated with, assisting the _memory analysis flow_ further downstream. . The _Check memory acquisition_ Lambda function checks for SSM Run Command to be completed. . If the response from SSM Run Command status is `Pending` or `Delayed` or `In Progress`, it waits for 120 seconds. . If the response from SSM Run Command status is `Success`, it checks if isolation is needed. . If **isolation** is set to `true`, then the Lambda function assumes role into the application account and attaches a security group with no egress and ingress security group, and detaches the existing security group. Isolation is set to `true` during the triaging phase based on security event type. . This initiates investigation flow with forensic type as `MEMORY`. . If any error occurs during the memory acquisition process, the EC2 instance isolation will be performed based on the `isolation` flag.