CtrlK

Compromised EC2 Instance

1. Lock the instance down.

Isolate the compromised instance and stop traffic entering or leaving the instance.
To do this, remove the existing security groups from the instance, and add a single one that has one egress rule, allowing all traffic to go to 127.0.0.1 only.

2. Take the EBS Snapshot.

Immediately take a snapshot of the compromised EC2 instance’s EBS volume.
Do not shut down the instance.

3. Take a Memory Dump.

4. Perform Forensic Analysis.

Use the EBS Snapshot and the Memory Dump to try to determine what went wrong and how the instance as compromised.

5. Terminate the instance.

PreviousExposed AWS Access Keys NextHow do you report abuse of AWS resources?

Last updated 4 years ago

Was this helpful?