Prerequisites
Tools
-
The latest version of the AWS CLI
(2.2.37 or newer), installed and configured. -
The latest version of the AWS CDK V2 (2.2 or newer).
-
A CDK bootstrapped forensic AWS account and Security Hub account.
-
NodeJS
version 16. -
Ensure GraphQL - AppSync is activated in the forensic AWS account.
-
AWS SSM agent is installed in EC2 instances or EKS clusters (Application Instances).
-
AWS Security Hub must be activated as the Guidance creates custom action in AWS Security Hub.
-
Python version 3.8 or above
Forensic AMI
Build a forensic AMI and update the AWS Systems Manager Parameter Store with AMI ID. For more details, refer to Sample steps to create Forensic AMI using EC2 Image Buildersan-sift.yml provided in the forensic Guidance.
Note
This Guidance requires knowledge of SAN SIFT
Compromised instance memory size and investigation instance mount disk volume
The investigation instance mount volume must always be greater than the memory of the compromised instance.
This ensures that memory loaded into investigation instance does not error out. The Guidance uses M5.2Xlarge Amazon EC2 instance type by default.
CDK context configurations
| CDK config | Description |
|---|---|
|
ec2ForensicImage |
Forensic AMI name stored in SSM Parameter Store. SSM Parameter Store will contain AMI ID of forensic investigation instance prebuilt with forensic tools. Guidance is tested with Ubuntu AMI. |