Incident Response in Amazon EC2
By Tom Arnold
The Amazon Elastic Compute Cloud (“EC2”) is one of the richest and most robust cloud environments. The full list of services gives the cottage entrepreneur the computing power and Internet presence of a Fortune 500 company. Although Amazon’s environment is very robust, humans are still a part of building and fielding the application, running on EC2; as such, a fully secure environment can hardly be assured. The likelihood of significant flaws in the applications, or configurations of the systems, opens the risk of a security breach or compromise that will require a security incident response. This paper examines the steps that a first responder should take in response to a detected security incident within Amazon EC2. Forensic examination as covered in FOR408 begins with a trusted, scientific acquisition of evidence to support the analysis and examination process. If a first responder blunders the impact can destroy important evidence; drive the attack to ground; and, leave their environment exposed. This paper is NOT a full discussion on the steps a forensic investigator should take in analyzing the incident; rather the focus is on the immediate action that an Amazon EC2 subscriber should prepare to take in advance of the forensic cavalry arriving on scene.