View a markdown version of this page

Forensic triage service - Automated Forensics Orchestrator for Amazon EC2 and EKS

Forensic triage service

The diagram below represents the logical interaction view of the forensic triage service. A security event (Application security event) is reported by the Threat Detection Engine. The Threat Detection Engine initiates triaging function to determine the severity of threat based on the threat and infrastructure information. The triaging function initiates forensic acquisition and investigation flow for further analysis.

Interaction view

Forensic triage workflow

forensic triage workflow

Implementation view

Forensic triage - implementation view

forensic triage implementation view

AWS Security Hub operating in AWS application account is reported with details of the compromised instance and the findings get aggregated to AWS Security Hub administrator AWS master Account. . The security administrator initiates one of the following forensic actions in Security Hub.

+ .. Forensic triage .. Forensic isolation . Amazon EventBridge initiates the triage Step Functions flow. . Get Instance Lambda function assumes role into compromised application account and retrieves instance information. . The triage flow triggers acquisition flow in parallel unless the instance tag IsTriageRequired is set to false.

+ .. Forensic memory acquisition flow initiates the memory acquisition Step Functions. .. Forensic disk acquisition flow initiates the disk acquisition Step Functions. . Once completed, the acquisition flow triage results are sent to SNS.