Hello! I have a small question about the recommended steps if an EC2 seems to be hacked. A Cloud Guru’s lecture recommended stopping the instance as a first step, and them taking a snapshot of the EBS instance, so you can deploy it in a totally isolated environment. However, since there is some malware that may just reside in memory, and it doesn’t write anything on the volumes, I wonder if, in order to analyze the behavior of the compromised EC2 instance, wouldn’t it be better trying to isolate it within its current VPC, but attaching a more restricted Security Group to it, so I may be able to at least make a copy of the content in memory before terminating my instance. Thank you so much in advance! Santiago (Madrid, Spain)
Hi Santiago! As you probably know, Security Groups don’t have explicit Deny rules. If you want to leave the compromised EC2 instance running, you would probably want to detach ALL existing SGs first. Then, you could attach a newly created SG with no outbound rules and limited inbound rules.
I agree with your assertion: Stopping a compromised instance negates any forensic information retained in memory. I found the following article on the web. Hope it helps https://www.linkedin.com/pulse/aws-forensics-ec2-volatile-memory-capture-stephen-mcmaster/