Automating the Capture - AWS Security Incident Response Guide

Automating the Capture

One method to invoke the SSM Agent is to target the Run Command through Amazon CloudWatch Events when the instance is tagged with a specific tag. For example, if you apply the Response=Isolate+MemoryCapture tag to an affected instance, you can configure Amazon CloudWatch Events to trigger two actions:

  • A Lambda function that performs the isolation activities

  • A Run Command that executes a shell command to export the Linux memory through the SSM Agent

This tag-driven response is another method of event-driven response.