In your AWS account, an EC2 instance is deployed to a new web application.
You have enabled Amazon GuardDuty which is a continuous security monitoring service.
There is a new security issue reported from GuardDuty saying that the EC2 instance is potentially compromised.
You SSH to the instance but do not find any malware or unauthorized activities.
Which actions would you take to remediate the instance?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
If you cannot identify or stop the unauthorized activity on the potentially compromised EC2 instance, you should still terminate the instance and inspect the existing security approaches.
The reference can be found in https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2.
Option A is incorrect: Because the instance may still be compromised, which can lead to serious security issues.
Option B is incorrect: GuardDuty will not report the security issues, for instance, anymore.
This is not appropriate as you are unsure whether or not the instance is secure.
Option C is CORRECT: You should isolate the instance, dump the data and perform further investigation before trying to replace the instance.
Option D is incorrect: It is similar to option.
B.
Suppressing findings, for instance, is dangerous as it may hide a real security issue.
In this scenario, GuardDuty has reported a potential compromise of the EC2 instance, but upon investigation, no evidence of malware or unauthorized activities were found. In this case, it is important to take actions to remediate the issue to ensure the security of the environment.
Option A, which suggests that no actions are required, is incorrect. GuardDuty is a continuous security monitoring service that provides real-time threat detection and analysis, so any findings should be taken seriously and investigated thoroughly.
Option B, which suggests adding the instance IP in the whitelisted IP list in GuardDuty, is also incorrect. Whitelisting the IP address would only suppress the findings related to that instance, but it does not address the potential compromise of the instance.
Option D, which suggests adding a suppression rule to filter the instance ID so that GuardDuty does not report findings for the instance, is also incorrect. While suppression rules can be useful in certain scenarios, they should not be used to ignore potential security issues.
The correct answer is option C, which suggests isolating the instance by modifying the security groups and ACLs, capturing memory dumps, taking a snapshot, and replacing the instance with a new one. Isolating the instance would prevent any potential further compromise of the environment, capturing memory dumps would help investigate any potential malicious activity, and taking a snapshot would provide a backup of the instance in case it needs to be restored. Replacing the instance with a new one would ensure that any potential vulnerabilities or compromises in the original instance are mitigated. It is also recommended to conduct a root cause analysis to identify the cause of the potential compromise and take actions to prevent similar incidents in the future.