Does your organisation have a well-implemented and effective JML process that incorporates steps...
Managing a compromised AWS EC2 instance
Introduction
This guide is intended to inform teams about initial actions to be taken on learning that one or more Amazon Elastic Compute Cloud (EC2) instances has become compromised. Initial actions should be focussed on containment and restoration of service, followed up by root cause analysis and preventative measures.
Immediate Actions
1. Isolate the instance
Isolating the compromised instance will help prevent further damage, whilst leaving the instance available for further investigation and forensics examination. How to isolate the instance Remove the instance from auto scaling group Detach the instance from any:
- Classic loadbalancer,
- Application loadbalancer or Network loadbalancer
- Remove all security groups (including the default "allow all egress")
- Create a new security group to facilitate access for the investigating team.
- Remove the IAM instance profile from instance or replace it with one that denies everything.
(Any instance removed from an auto scaling group will automatically be replaced by a new instance)
2. Stop The Instance
If malware activities are continuing in the isolated instance, and you wish for them to stop, then you should also stop (not terminate) the instance. In any case, you should stop the instance in order that snapshots can be taken of all attached elastic block store (EBS) volumes. If the Amazon Machine Image (AMI) being used by the instance is an instance store-backed AMI, you will not be able to stop the instance.
3. Amazon Elastic Block Store (EBS) Snapshot
The purpose of taking a snapshot of all EBS volumes attached to the compromised instance, including the root volume, is to preserve any information it contains which may be needed as part of any subsequent investigation. Forensic examination can later be used to determine the cause, impact and remedy.
After the investigation is completed, if management closes the case and determines no further investigation is required, then the snapshot may be deleted.
4. Instance Termination
We should avoid acting on the impulse to immediately terminate a compromised instance, but rather isolate it. Deleting compromised instances prematurely may result in the loss of important data needed for root cause analysis, or even disciplinary or criminal investigation.
After the investigation is completed, if management closes the case and determines no further investigation is required, then the instance may be terminated.
