AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-07-25 · Documentation low

File: solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md

Summary

Updated architecture diagram title and added Amazon EKS to the list of resources monitored for malicious activities

Security assessment

The change expands the scope of security monitoring to include Amazon EKS resources, enhancing documentation about security coverage. However, there is no explicit mention of addressing a specific security vulnerability or incident.

Diff

diff --git a/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md b/solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
index 4028da0b8..9278dff9b 100644
--- a//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
+++ b//solutions/latest/automated-forensics-orchestrator-for-amazon-ec2/architecture-overview.md
@@ -9 +9 @@ Deploying this Guidance with the default parameters builds the following environ
-**Automated Forensics Orchestrator for Amazon EC2 architecture diagram**
+**Automated Forensics Orchestrator for Amazon EC2 and EKS architecture diagram**
@@ -13 +13 @@ Deploying this Guidance with the default parameters builds the following environ
-Prior to running the workflow, you will need a forensic Amazon Machine Image (AMI). You can use [Amazon EC2 Image Builder](https://aws.amazon.com/image-builder/) to build a new forensic AMI or an existing forensic AMI. . AWS Step Functions leverages the forensic AMI to perform memory and disk investigation. . In the AWS application account, [AWS Config managed rules](https://aws.amazon.com/https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to [AWS Security Hub](https://aws.amazon.com/security-hub/) in the security account through their native or existing integration. . By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows. . For a specified event, EventBridge provides an instance ID for the forensics process to target, and initiates the Step Functions workflow. . Step Functions triages the request through the following approach: It first gets the instance information. It then determines if isolation is required based on the Security Hub action and if acquisition is required based on tags associated with the instance. Finally, it initiates the acquisition flow based on triaging output.
+Prior to running the workflow, you will need a forensic Amazon Machine Image (AMI). You can use [Amazon EC2 Image Builder](https://aws.amazon.com/image-builder/) to build a new forensic AMI or an existing forensic AMI. . AWS Step Functions leverages the forensic AMI to perform memory and disk investigation. . In the AWS application account, [AWS Config managed rules](https://aws.amazon.com/https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html), [Amazon GuardDuty](https://aws.amazon.com/guardduty/), and third-party tools detect malicious activities that are specific to [Amazon Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/) and [Amazon Elastic Compute Cloud (Amazon EKS)](https://aws.amazon.com/eks/) resources. For example, an EC2 instance queries a low reputation domain name that is associated with known abused domains. The findings are sent to [AWS Security Hub](https://aws.amazon.com/security-hub/) in the security account through their native or existing integration. . By default, all Security Hub findings are then sent to Amazon EventBridge to invoke automated downstream workflows. . For a specified event, EventBridge provides an instance ID for the forensics process to target, and initiates the Step Functions workflow. . Step Functions triages the request through the following approach: It first gets the instance information. It then determines if isolation is required based on the Security Hub action and if acquisition is required based on tags associated with the instance. Finally, it initiates the acquisition flow based on triaging output.