You have recently been hired as a cloud engineer for a gambling company.
The company heavily uses Amazon EC2 instances inside Elastic Load Balancing Auto Scaling Groups.
The company's cloud resources have been targeted by malicious actors in the past, and some resources were compromised.
As a part of your initial training, you have received instructions on what to do if a compromise is detected.
Below is the company's run book for dealing with a suspected compromised Amazon EC2 instance:
Tag any resources you create with the key IncidentStatus and the value Isolated.
- Detach the instance from its auto scaling group and tag it
- Create a new security group that disallows both inbound and outbound traffic (if one doesn't already exist)
- Remove the instance's current security group and replace it with the group that blocks inbound and outbound traffic
- Remove the IAM role from the instance (ensure no role is associated)
- Snapshot the instance's root volume for later analysis
- Create an AMI of the instance for later analysis
- Detach an EC2 Instance from Scaling Group = https://docs.aws.amazon.com/autoscaling/ec2/userguide/detach-instance-asg.html
- Create a new security group that disallows both inbound and outbound traffic (if one doesn't already exist) - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
- Attach Security Security Group to an Instance - https://stackoverflow.com/questions/52641395/can-we-remove-a-security-group-from-an-running-ec2-instance
- Remove the IAM role from the instance (ensure no role is associated) - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
- Snapshot the instance's root volume for later analysis - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html
- Create an AMI from an Amazon EC2 Instance - https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/tkv-create-ami-from-instance.html