And if a container from EKS or ECS was compromised ? what is right thing to do ?
If was a ec2 instance we can isolate but if was a container running malicious image ou malicious code…
Does make sense isolate a entire ec2 because only one container is compromised?
1 Answers
It would most certainly make sense to isolate the entire EC2 if that scenario occurred. You should probably also take each container using the same image out of service immediately, even if they run on different EC2 instances. Also isolate all EC2 instances in the same setup. At least until you figure out how the container was breached. It is very likely that an attacker that somehow makes it in to your containers came there via your EC2 instance.
I would also suggest using Fargate (for ECS only, until the EKS support finally arrives). With Fargate it is not possible to access the underlying EC2, since it is abstracted away from you. Thus there is no way to get in to the containers either (unless the attacker manages to add code to your project that eventually ends up in a Docker image that you run in ECS)