Certified Security - Specialty

Sign Up Free or Log In to participate!

Memory Snapshot of compromised instance

Hi Ryan, Should we not take a memory snapshot before stopping a compromised instance? any memory resident malicious code would disappear when we stop a compromised instance?

Stuart Clowes

Absolutely you should! A better approach would be to isolate the compromised host using security groups, take the memory dump and then the EBS snapshot.

Stuart Clowes

You might want to build run books for this scenarios. If you want to script, take a look at "aws ec2 revoke-security-group-egress"

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?