View or Copy Data - AWS Security Incident Response Guide

View or Copy Data

Responders require access to logs or other evidence to analyze, and must ensure that they have the ability to view or copy data. At a minimum, the IAM permission policy for the responders should provide read-only access so that they can investigate. To enable appropriate access, you might consider some pre-built AWS Managed Policies, such as SecurityAudit or ViewOnlyAccess.

For example, responders might want to make a point-in-time copy of data, such as the AWS CloudTrail logs, from an Amazon S3 bucket in one account to an Amazon S3 bucket in another account. The permissions provided by the ReadOnlyAccess managed policy, for example, enable the responder to perform these actions. To understand how to use the AWS Command Line Interface (CLI) to perform this, see How can I copy all objects from one Amazon S3 bucket to another bucket?.