This talk addresses a critical challenge for security operations centers (SOCs) and incident response (IR) teams in cloud environments: minimizing the permissions required for forensic investigations while maintaining efficient collaboration with cloud teams. Key topics include:

• The Power of Dedicated Forensics Accounts: Learn why creating dedicated GCP/AWS/Azure forensics accounts can be a best practice, along with implementation steps
• Extracting Data from Containers: Discover various methods to acquire data from containers, including sidecars, snapshots of the container filesystems, and the Kubernetes API
• Temporary Credentials for Secure Access: We'll delve into assigning temporary credentials for cloud resources, using virtual machine snapshots as an example
• Leveraging Tagging for Granular Permissions: Explore how tagging resources can minimize the permissions needed for specific investigations
• RBAC Best Practices for IAM: Gain insights into best practices for Role-Based Access Control (RBAC) within IAM, specifically tailored for security operations and incident response teams