Capturing Volatile Data - AWS Security Incident Response Guide

Capturing Volatile Data

Although you might not choose to perform the online investigation, it is important to understand the necessary mechanisms to capture volatile data from an instance. An online investigation requires interaction with the operating system that is running on the Amazon EC2 instance. In this scenario, you need more than the AWS IAM service to execute tasks on an Amazon EC2 instance. Although you could authenticate directly to the machine using a standard method (such as Linux secure shell (SSH) or Microsoft Windows remote desktop (RDP)), manual interaction with the operating system is not a best practice. We recommend that you programmatically use an automation tool to execute tasks on a host.