# JPMC Forensics Runbook ## 1. Provision access to the Forensics Users 1. In JumpCloud, onboard users as normal and add them to the groups `AWS_ALL_Forensics` and `AWSForensics_S3` ## 2. Forensics Session 1. Login to AWS via JumpCloud at https://gofigg.awsapps.com/start/#/ 2. Use the `Forensics_OPS` role to initiate shell sessions on a target machine 3. Use the `Forensics_S3` to upload data to S3 ` 451614264247-forensic-data` bucket in the `core-audit` account ## 3. How to Audit Forensics Sessions 1. Login to AWS via JumpCloud at https://gofigg.awsapps.com/start/#/ 2. Login to the `fi` account as `Forensics_OPS` 3. Audit sessions using CloudTrail (more...) ## Notes - The JumpCloud group `AWS_ALL_Forensics` permits access to assume the `Forensics_OPS` role in every AWS account. This role can be used to read and write to S3, as well as launch AWS SSM sessions against any machine. - The JumpCloud group `AWSForensics_S3` permits access to assume the `Forensics_S3` role in the `core-audit` account. This role can be used to generate ephemeral sessions on comprimised machines. It _only_ has access to read and write to the forensics bucket ` 451614264247-forensic-data` in S3. ## TODO: - [ ] Update `Forensics_OPS` role to allow access to view SSM Session Logs and CloudTrail logs - [ ] Update `Forensics_OPS` to allow describe all EC2 details - [ ] S3 object Lifecycle policy of 30 days - [ ] Create a new role called `Forensics_Audit` that has the ability to access audit logs - [ ] Remove the Redash link in the AWS Forensics Role error - [ ] Send emails to security_jira@gofigg.com