Remediating a potentially compromised Amazon EC2 instance - Amazon GuardDuty

Remediating a potentially compromised Amazon EC2 instance

When GuardDuty generates finding types that indicate potentially compromised Amazon EC2 resources, then your Resource will be Instance. Potential finding types could be EC2 finding types, GuardDuty Runtime Monitoring finding types, or Malware Protection for EC2 finding types. If the behavior that caused the finding was expected in your environment, then consider using Suppression rules.

Perform the following steps to remediate the potentially compromised Amazon EC2 instance:

  1. Identify the potentially compromised Amazon EC2 instance

    Investigate the potentially compromised instance for malware and remove any discovered malware. You may use On-demand malware scan in GuardDuty to identify malware in the potentially compromised EC2 instance, or check AWS Marketplace to see if there are helpful partner products to identify and remove malware.

  2. Isolate the potentially compromised Amazon EC2 instance

    If possible, use the following steps to isolate the potentially compromised instance:

    1. Create a dedicated Isolation security group. An isolation security group should only have inbound and outbound access from specific IP addresses. Make sure that there is no inbound or outbound rule that allows traffic for 0.0.0.0/0 (0-65535).

    2. Associate the Isolation security group with this instance.

    3. Remove all security group associations other than the newly created Isolation security group from the potentially compromised instance.

      Note

      The existing tracked connections won't be terminated as a result of changing security groups - only future traffic will be effectively blocked by the new security group.

      For information about tracked and untracked connections, see Amazon EC2 security group connection tracking in the Amazon EC2 User Guide.

      For information about blocking further traffic from suspicious existing connections, see Enforce NACLs based on network IoCs to prevent further traffic in the Incident Response Playbook.

  3. Identify the source of the suspicious activity

    If malware is detected, then based on the finding type in your account, identify and stop the potentially unauthorized activity on your EC2 instance. This may require actions such as closing any open ports, changing access policies, and upgrading applications to correct vulnerabilities.

    If you are unable to identify and stop unauthorized activity on your potentially compromised EC2 instance, we recommend that you terminate the compromised EC2 instance and replace it with a new instance as needed. The following are additional resources for securing your EC2 instances:

  4. Browse AWS re:Post

    Browse AWS re:Post for further assistance.

  5. Submit a technical support request

    If you are a premium support package subscriber, you can submit a technical support request.