Remediating a potentially compromised standalone container - Amazon GuardDuty

Remediating a potentially compromised standalone container

When GuardDuty generates finding types that indicate potentially compromised container, your Resource type will be Container. If the behavior that caused the finding was expected in your environment, then consider using Suppression rules.

To remediate potentially compromised credentials in your AWS environment, perform the following steps:

  1. Isolate the potentially compromised container

    The following steps will help you identify identify the potentially malicious container workload:

    Isolate this container from other container workloads.

  2. Pause the container

    Suspend all the processes in your container.

    For information about freezing your container, see Pause a container.

    Stop the container

    If the step above fails, and the container doesn't pause, stop the container from running. If you've enabled the Snapshots retention feature, GuardDuty will retain the snapshots of your EBS volumes that contain malware.

    For information about stopping the container, see Stop a container.

  3. Evaluate the presence of malware

    Evaluate if malware was in the container's image.

If the access was authorized, you can ignore the finding. The https://console.aws.amazon.com/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. The GuardDuty console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules in GuardDuty.