AWS CLI
DFIR QuickStart
Install AWS CLI
Details on all three OS can be found here.
This should get you started on a Mac:
$ curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
$ sudo installer -pkg AWSCLIV2.pkg -target /
Once you’ve installed it, run this command to verify installation:
$ which aws /usr/local/bin/aws
$ aws --version aws-cli/2.4.5 Python/3.8.8 Darwin/18.7.0 botocore/2.4.5
If you get a result as shown above, aws cli has been installed and us ready to go!
Configure AWS CLI
Next, you need to configure your aws cli — use these commands to do so:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json
You can find all the Regions here.
Run a quick check on your identity using this command:
$ aws sts get-caller-identity
Working with S3 buckets
Syntax: aws s3 <Command> [<Arg> …]
Use this simple command to list out all the S3 buckets you have access to:
$ aws s3 ls
You can use these basic commands on S3 buckets:
- cp — copy
- mv — move
- rm — remove
In order to use the above commands recursively, use this flag:
--recursive
Example:
aws s3 cp s3://s3-bucket-name/ LocalFolder --recursive
Find the full list of commands here: https://docs.aws.amazon.com/cli/latest/reference/s3/
Assuming Roles
When working on an incident, it is common for your clients to create a role for your organisation, that can be used to conduct forensics on their AWS Infrastructure. In order to use this role, you need to ‘assume’ it first.
Basically, this is what ‘assume-role’ does: Returns a set of temporary security credentials that you can use to access Amazon Web Services resources that you might not normally have access to.
They (clients) will provide you with the required information in order for you to assume the role.
Use this command to assume the role that has been created for you:
aws sts assume-role --role-arn "arn:aws:iam::12345678910:role/RoleName" --role-session-name GiveItAnyName-session
The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS:
{
"Credentials": {
"AccessKeyId": "Some String",
"SecretAccessKey": "Longer String",
"SessionToken": "A ver long string...",
"Expiration": "Some date+time"
},
"AssumedRoleUser": {
"AssumedRoleId": "Some String",
"Arn": "arn:aws:sts::ARN-number and role etc."
}
}
Once you have the above information, you need to run these commands:
export AWS_ACCESS_KEY_ID="Some String"
export AWS_SECRET_ACCESS_KEY="Longer String"
export AWS_SESSION_TOKEN="A ver long string..."
Verify that you have assumed the role by running this command:
$ aws sts get-caller-identity
Once done, you can use these commands to unset the ENV variables and verify that the assumed role has been ‘unassumed’:
$ unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
$ aws sts get-caller-identity
Working with AWS Logs
You can use Amazon CloudWatch Logs to monitor, store, and access your log files from EC2 instances, CloudTrail, and other sources. You can then retrieve the associated log data from CloudWatch Logs using the CloudWatch console, CloudWatch Logs commands in the Amazon Web Services CLI, CloudWatch Logs API, or CloudWatch Logs SDK.
One of the most useful commands is get-log-events
Have a look at all these options you can use with the get-log-events command -
get-log-events — AWS CLI 1.25.31 Command Reference
There are quite a few commands that you can use for logs with the awscli but to get started, run this command:
1awslogs get Log-Group-Name ALL --start='2021-12-20 00:00:00.000' --end='2021-12-26 00:00:00.000' > logs-20-26-dec.csv
Another example:
1aws logs get-log-events --log-group-name my-logs --log-stream-name 20150601
Note: where available, use AWS tools or apps such as Athena (query) etc as they are much faster and easier to use.