FORGCF3

CloudTrail provides free storage of audit logs for 90 days. If you want to keep data for longer than 90 days, you have to set up a trail to be stored in an S3 bucket somewhere or ingested into some other platform.

AWS provides IP address assignments based on your choice of public or private. Depending on your configuration (or template selected), AWS will find the resources in their data center and launch that instance for you.

Athena is an AWS service that allows you to search data that are resident within your S3 buckets as if they were in an SQL database. Athena allows you to search terabytes of data stored in your S3 buckets without having to first process and load it all into something like ELK. In addition, you can schedule Athena queries to run at regular intervals to perform regular threat hunts as new logs are written into your CloudTrail buckets.

The actions of the root user on an EC2 instance will be logged in CloudTrail by default. They will not appear in CloudWatch unless CloudWatch is configured to accept them. VPC Flow Logs do not include changes made on an EC2 instance. Linux logs record only changes made by accounts within the instance, not by the accounts of AWS users, including root.

By default, all Amazon S3 buckets and objects are private. Only the resource owner, which is the AWS account that created the bucket, can access that bucket

Instances prefixed with P, G, or F indicate that a GPU or FPGA is attached to them. This is the instance type most often abused by crypto miners.

Amazon Elastic File System (EFS) is basically a network-hosted NFS share, while Elastic Block Store (EBS) is a dedicated block storage device. This means that multiple instances can all access an EFS share simultaneously, while only one instance at a time can access an EBS volume. Many developers will create an AWS-hosted NFS share (EFS) and then attach it to multiple running EC2 instances. This way, for auto-scaling clusters and containers, they can have persistent data storage. This allows multiple Linux instances and containers to read and write data to a central place, and then AWS will manage auto-scaling of EFS storage. Since EFS shares are regional, the data access speeds should be fast.

Acquire Volatile Memory for Linux (AVML) is created and maintained by Microsoft. This tool is statically compiled and works without kernel drivers. AVML has been used on production Linux systems with up to 4 TB of RAM and high usage without issues.

An incident responder should have read-only access to all resources. This gives the responder access to the configurations and logs needed to understand what happened but blocks their ability to make changes inadvertently. The latter can happen if full access is allowed. Access should not be limited to externally accessible devices as the responder would be unable to understand the attacker’s actions once they got past the perimeter.

eventName shows the action that was performed, usually the name of the API function called.