From the course: AWS Certified Security - Specialty (SCS-C02) Cert Prep
Preserving forensic artifacts with S3 Object Lock - Amazon Web Services (AWS) Tutorial
From the course: AWS Certified Security - Specialty (SCS-C02) Cert Prep
Preserving forensic artifacts with S3 Object Lock
- [Instructor] Let's take a look here at capturing forensic artifacts, and if you've detected and analyzed a security incident, the thing that you're going to do next is look at the logs, snapshots, and other evidence, and it's important to preserve these artifacts. So what Amazon S3 Object Lock does is it blocks object deletion and provides an additional layer of protection against either accidental or intentional data alteration. There's a couple different modes as well. So we first have governance mode, which allows a privileged user to alter the lock settings. We also have compliance mode, where not even the root user itself can actually change that lock. And if you look at storing artifacts in S3 with object lock, you can move these forensic artifacts into a dedicated S3 bucket, and these would be stored securely with encryption and also access controls, and you could have retention policies that would be applied to the objects to preserve them for a specific period of time. And these policies could be customized to match the specific needs of whatever artifact you're storing. Now, this plays into the investigation process because with an ongoing investigation, you would be able to guarantee that the data hasn't been altered in a subtle way, especially if the attack is an insider attack, for example. So in terms of compliance considerations, the use of S3 object lock is really essential in meeting specific regulatory requirements, especially in the fields of financial or healthcare data. Also here, it's important to notice the WORM pattern, which is write once, but read many. So in this particular pattern here as you store this forensic data, it's been able to be written, but never again is it able to be mutated because you need to preserve that original forensic data.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Designing and implementing incident response plans2m 16s
-
Demo: AWS Security Hub3m 39s
-
Responding to compromised resources and workloads4m 16s
-
Automating incident response with AWS Lambda2m 27s
-
Conducting root cause analysis with Amazon Detective3m 31s
-
Capturing forensics data from compromised resources2m 34s
-
Querying logs to validate security events2m 34s
-
Preserving forensic artifacts with S3 Object Lock2m 13s
-
(Locked)
Preparing and recovering services after incidents1m 59s
-
(Locked)
High availability3m 7s
-
(Locked)
Compliance2m 22s
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-