Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In this article, we will guide you through the EC2 forensic module factory solution designed to automate the creation of forensic kernel modules essential for incident response automation on Amazon Elastic Compute Cloud (Amazon EC2). When there is a suspicion that an EC2 instance has been compromised, it is crucial to investigate the incident thoroughly. Key activities to examine include:

• Active network connections
• List of processes running on the system
• Processes with injected code
• Memory-resident infections
• Other forensic artifacts

Taking timely action is vital when an EC2 instance is compromised. Before shutting down the instance, it’s imperative to capture the volatile memory (RAM) contents through a memory dump, as this holds the instance’s ongoing operations and is essential for identifying the cause of the compromise.

To capture volatile memory in Linux, a tool such as the Linux Memory Extractor (LiME) is recommended. This requires the appropriate kernel modules specific to the instance’s kernel version. It is also advisable to limit actions on the instance to reduce the number of artifacts created during the capture process. Thus, having a method to build the necessary tools for capturing volatile memory externally is important. After the memory capture, analysis tools like Volatility2 can be utilized in a dedicated forensic environment. Both LiME and Volatility2 support EC2 instances across x86, x64, and Graviton instance types.

Prerequisites

The following prerequisites are required for this solution:

• The target EC2 instance must be running the Amazon Linux 2 operating system.
• An AWS Identity and Access Management (IAM) role with permissions to provision the necessary resources in your AWS account. More details about these permissions are outlined in the next section.

Solution Overview

The EC2 forensic module factory solution comprises several resources:

• An AWS Step Functions workflow
• Two AWS Lambda functions
• An AWS Systems Manager document (SSM document)

Important: The SSM document is responsible for cloning the LiME and Volatility2 GitHub repositories, which operate under version 2.0 of the GNU General Public License. You can modify this document to include preferred forensic analysis tools, such as fmem or Volatility3.

• An Amazon Simple Storage Service (Amazon S3) bucket
• An Amazon Virtual Private Cloud (Amazon VPC)
• A security group for the EC2 instance provisioned during the automation

The solution employs the following VPC endpoints for AWS services:

• ec2_endpoint
• ec2_msg_endpoint
• kms_endpoint
• ssm_endpoint
• ssm_msg_endpoint
• s3_endpoint

Workflow Steps

The workflow for the EC2 forensic module factory includes the following sequence:

1. Initiating a Step Functions workflow creates a task token and triggers the first Lambda function, ‘createEC2module’, to generate the forensic modules.
2. This function, which runs for about 9 minutes, launches an EC2 instance based on the specified Amazon Machine Image (AMI).
3. An SSM document executes several steps:
   • If a kernel version is specified, it installs that version on the EC2 instance. Otherwise, the default kernel version is used.
   • If a new kernel version is installed, the system reboots to use it.
   • Prerequisite build tools, along with the LiME and Volatility2 packages, are installed.
   • The kernel modules for LiME and Volatility2 are built.
4. The newly created kernel modules are stored in the S3 bucket.
5. After completion, the Step Functions task token signals the second Lambda function, ‘cleanupEC2module’, to terminate the EC2 instance launched previously.

Solution Deployment

The EC2 forensic module factory solution can be deployed via the AWS Management Console or the AWS Cloud Development Kit (AWS CDK).

Option 1: Deploy with AWS CloudFormation (Console)

Log into your security tooling account in the AWS Management Console and click the Launch Stack button to access the AWS CloudFormation console pre-loaded with the template for this solution. The CloudFormation stack will take approximately 10 minutes to complete.

Option 2: Deploy Using the AWS CDK

The latest code for the EC2 forensic module factory solution is available in the ec2-forensic-module-factory GitHub repository, where you can also contribute to the sample code. For more information on using the AWS CDK, refer to Get Started with AWS CDK.

To deploy using the AWS CDK, navigate to the project’s root folder and execute the following commands:

npm install -g aws-cdk 
npm install

Then, run these commands in your terminal while authenticated in your preferred security tooling AWS account, replacing <INSERT_AWS_ACCOUNT> and <INSERT_REGION> with your account number and desired AWS Region.

cdk bootstrap aws://<INSERT_AWS_ACCOUNT>/<INSERT_REGION> 
cdk deploy

Executing the Solution

Once the EC2 forensic module factory solution is deployed, the Step Functions workflow must be invoked to create the forensic kernel objects. Here’s how to manually trigger the workflow:

1. Sign in to the AWS Management Console where the solution was deployed.
2. Navigate to the AWS Step Functions console and select the state machine named create_ec2_volatile_memory_modules.
3. Click on Start execution.
4. Enter the following JSON values at the input prompt:

{
    "AMI_ID": "ami-0022f774911c1d690",
    "kernelversion": "kernel-4.14.104-95.84.amzn2.x86_64"
}

5. Choose Start execution to initiate the workflow.

You can track the workflow’s progress using the AWS Management Console. If successful, you will see a notification indicating that the process is complete.

For further insights on active listening, check out this blog post. As an additional note, for those interested in work-life balance topics, Belgium’s four-day workweek option offers valuable information.