Shiva2017
Hi Ryan, Should we not take a memory snapshot before stopping a compromised instance? any memory resident malicious code would disappear when we stop a compromised instance?
Certified Security - Specialty
Sign Up Free or Log In to participate!
Memory Snapshot of compromised instance
Absolutely you should! A better approach would be to isolate the compromised host using security groups, take the memory dump and then the EBS snapshot.
You might want to build run books for this scenarios. If you want to script, take a look at "aws ec2 revoke-security-group-egress"