Sign Up Free or Log In to participate!
Hi Ryan, Should we not take a memory snapshot before stopping a compromised instance? any memory resident malicious code would disappear when we stop a compromised instance?
Absolutely you should! A better approach would be to isolate the compromised host using security groups, take the memory dump and then the EBS snapshot.
You might want to build run books for this scenarios. If you want to script, take a look at "aws ec2 revoke-security-group-egress"
Psst…this one if you’ve been moved to ACG!
Don't have an account?