EC2 Auto Clean Room Forensics
Last updated
Last updated
This example solution will take an instance ID from an SNS topic and through a series of AWS Lambda functions co-ordinated by AWS Step Functions will automatically notify, isolate and run basic forensics on the identified instance. Please note: The instructions on how to create the forensics instance AMI will be published here soon.
Download the git hub repo
Zip the lambda functions into a file and save the file in S3 bucket.
Edit the run commands in runForensicAnalysis.py - Update the S3 bucket details where EC2 instance launched is access.
The cloud formation template creates the following
Clean Room VPC
Lambda Functions -
sec-ir-1-createSupportTicket Function to create support ticket Python 3.6
sec-ir-2-isolateInstance Function to isolate Ec2 instance Python 3.6
sec-ir-3-sendIsolationNotification Function to Send notification for instance Isolation and Snapshot creation Python 3.6
sec-ir-4-snapShotCreation Function to isolate Ec2 instance Python 3.6
sec-ir-5-startForensicInstance Function to Send notification for instance Isolation and Snapshot creation Python 3.6
sec-ir-6-createAndAttachAffectedVolume Function to Create and attach volume created from Snapshot Python 3.6
sec-ir-7-isSSMInstalled Function to Check SSM is installed or not Python 3.6
sec-ir-8-runForesnsicAnalysis Function to Run Foresnsic Analysis Python 3.6
sec-ir-9-invokeStepFunctions Function parse SNS message and invoke Step functions Node.js 6.10
Lambda Functions : SNSParserInvokeStep.py isolateInstance.py attachVolume.py runForensicAnalysis.py createForensicInstance.py sendForensicReport.py generateSupportTicket.py sendIsolationNotification.py isSSMInstalled.py snapshotForRemediation.py
SNS Topic for posting Guard duty finding which will trigger sec-ir-9-invokeStepFunctions lambda function
SendErrorNotification.py Create S3 trigger on the bucket which edited in the pre-requisties
