Remediating a potentially compromised standalone container
When GuardDuty generates finding types that indicate potentially compromised container, your Resource type will be Container. If the behavior that caused the finding was expected in your environment, then consider using Suppression rules.
To remediate potentially compromised credentials in your AWS environment, perform the following steps:
-
Isolate the potentially compromised container
The following steps will help you identify identify the potentially malicious container workload:
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
. -
On the Findings page, choose the corresponding finding to view the findings panel.
-
In the findings panel, under the Resource affected section, you can view the container's ID and Name.
Isolate this container from other container workloads.
-
Pause the container
Suspend all the processes in your container.
For information about freezing your container, see Pause a container.
Stop the container
If the step above fails, and the container doesn't pause, stop the container from running. If you've enabled the Snapshots retention feature, GuardDuty will retain the snapshots of your EBS volumes that contain malware.
For information about stopping the container, see Stop a container
. -
Evaluate the presence of malware
Evaluate if malware was in the container's image.
If the access was authorized, you can ignore the finding. The https://console.aws.amazon.com/guardduty/
