Remediating a potentially compromised ECS cluster

When GuardDuty generates finding types that indicate potentially compromised Amazon ECS resources, then your Resource will be ECSCluster. Potential finding types could be GuardDuty Runtime Monitoring finding types or Malware Protection for EC2 finding types. If the behavior that caused the finding was expected in your environment, then consider using Suppression rules.

Follow these recommended steps to remediate a potentially compromised Amazon ECS cluster in your AWS environment:

Identify the potentially compromised ECS cluster.

The GuardDuty Malware Protection for EC2 finding for ECS provides the ECS cluster details in the finding's details panel.
Evaluate the source of malware

Evaluate if the detected malware was in the container's image. If malware was in the image, identify all other tasks which are running using this image. For information about running tasks, see ListTasks.
Isolate the potentially impacted tasks

Isolate the impacted tasks by denying all ingress and egress traffic to the task. A deny all traffic rule may help you stop an attack that is already underway, by severing all the connections to the task.

If the access was authorized, you can ignore the finding. The https://console.aws.amazon.com/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules in GuardDuty.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Remediating a potentially malicious S3 object

Remediating potentially compromised AWS credentials