AWS Security Reference Architecture (AWS SRA) – cyber forensics

Global Services Security Team, Amazon Web Services (contributors)

December 2025 (document history)

Influence the future of the AWS Security Reference Architecture (AWS SRA) by taking a short survey

This guidance provides architectural patterns for building a cyber forensics capability on AWS. This is an extension of the AWS SRA – Core Architecture guide. It dives deep into AWS security services and how they fit into the core security architecture defined by the AWS SRA.

In the context of the AWS SRA, we use the following definition of forensics provided by the National Institute of Standards and Technology (NIST): "the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data" (source: NIST Special Publication 800-86 - Guide to Integrating Forensic Techniques into Incident Response).

In this guide:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

About the AWS SRA library