Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Skip to main content

AWS Solutions Library

Overview

This Guidance demonstrates how to automate digital forensics processes for Amazon EC2 instances when security issues arise. Through orchestrated AWS services, it streamlines incident response by automatically collecting disk and memory data, isolating affected instances, and initiating forensic investigation tools. The Guidance helps security teams reduce response time through automated workflows that capture forensic artifacts and integrate with analysis and reporting tools. Organizations running Amazon EC2 workloads can enhance their security operations by deploying this Guidance, enabling rapid response to potential security incidents while maintaining consistent investigation procedures.

How it works

These technical details feature an architecture diagram to illustrate how to effectively use this solution. The architecture diagram shows the key components and their interactions, providing an overview of the architecture's structure and functionality step-by-step.

Download the architecture diagram

Deploy with confidence

Everything you need to launch this Guidance in your account is right here

We'll walk you through it

Dive deep into the implementation guide for additional customization options and service configurations to tailor to your specific needs.

Open guide

Let's make it happen

Ready to deploy? Review the sample code on GitHub for detailed deployment instructions to deploy as-is or customize to fit your needs. 

Go to sample code

Well-Architected Pillars

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

EventBridge enables automated event-driven architecture and seamlessly integrates AWS and third-party services. Lambda reduces operational overhead and automates routine tasks through serverless computing. Step Functions orchestrates complex workflows while providing visual management, making distributed service coordination and maintenance easier. DynamoDB delivers fully managed, scalable NoSQL database capabilities with consistent performance at any scale. Amazon SNS ensures reliable message delivery and enables automated responses to system events. Together, these services promote operational excellence through automation, integration, and reduced management overhead.

Read the Operational Excellence whitepaper 

Native AWS services create a framework to orchestrate and automate key forensics processes from initial threat detection. This Guidance reduces mean-time-to-respond for security events by orchestrating end-to-end Amazon EC2 incident response, including resource triage, forensic artifact collection, resource isolation, investigation, and reporting. AWS Identity and Access Management (IAM) implements least privilege across AWS accounts for authorized principals. The framework allows Security Operations Center (SOC) teams to continuously discover and analyze fraudulent activities across multi-account and multi-region environments, while capturing memory and disk images to secure storage and initiating automated investigation tools.

Read the Security whitepaper 

EventBridge delivers highly available event routing with built-in retry policies and dead-letter queues, helping to keep event-driven applications resilient. Step Functions ensures workflow reliability through built-in error handling, automatic retries, and state management, enabling robust error recovery. DynamoDB maintains reliability through automatic multi-Availability Zone (AZ) replication, point-in-time recovery, and on-demand backups, guaranteeing consistent performance at scale.

Read the Reliability whitepaper 

EventBridge processes events in near real-time with consistent throughput and automatic scaling capabilities, handling millions of events per second without performance degradation. Lambda automatically scales compute resources in milliseconds, processing requests concurrently and allocating optimal memory and compute power based on function configuration. This event-driven architecture minimizes manual intervention and monitoring requirements.

Read the Performance Efficiency whitepaper 

Lambda uses a precise pay-per-use model that charges only for consumed compute time in 1ms increments and number of requests, eliminating idle resource costs. DynamoDB offers on-demand capacity for unpredictable workloads with per-request pricing and auto-scaling to prevent over-provisioning. The DynamoDB time-to-live feature automatically deletes unnecessary data.

Read the Cost Optimization whitepaper 

Serverless AWS services minimize idle resources and environmental impact while enabling rapid scaling when needed. EventBridge routes events without dedicated infrastructure, reducing idle energy consumption. Lambda and Step Functions use on-demand execution models, activating compute resources only during function invocation. Amazon S3 offers intelligent-tiering and lifecycle policies automatically move data to energy-efficient storage tiers, while server-side encryption requires no additional compute resources. Long-term artifacts can be archived to more energy-efficient tiers for legal retention requirements.

Read the Sustainability whitepaper 

Disclaimer

The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.