Amazon GuardDuty has reported that an EC2 instance has been compromised.
What of the following actions should you first take to remediate it?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect because terminating the instance will remove user data.
You need to investigate the instance to identify the issue firstly.
Option B is incorrect because deleting the IAM role would impact other healthy EC2 instances using the same IAM Role.
Option C is incorrect because deleting the key pair would impact the user utilizing that key pair.
Option D is CORRECT.
AWS recommends this method.
You can use products from AWS Marketplace that help to identify and remove malware.
Reference:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2If Amazon GuardDuty has reported that an EC2 instance has been compromised, the first and immediate action that should be taken is to isolate the instance from the network to prevent further damage. After isolation, the next step is to investigate the instance for any potential malicious activity or malware. Therefore, option D "Investigate the potentially compromised instance for malware and remove any discovered malware" should be the first action taken to remediate the situation.
Option A, "Terminate the instance," may seem like a quick and easy solution to the problem. However, this action should be taken only after a thorough investigation of the instance to avoid losing valuable data, and to determine if any other instances or resources have been compromised.
Option B, "Delete the IAM Role associated with the EC2 instance," and option C, "Delete the IAM Key Pair associated with the EC2 instance," are both related to access control, and while they may be necessary to prevent further compromise, they do not address the root cause of the problem, which is the compromise of the instance itself.
In summary, when Amazon GuardDuty reports a compromised EC2 instance, the immediate action should be to isolate the instance from the network and investigate the instance for malware and any potential malicious activity. After a thorough investigation, the appropriate action can be taken, which may include terminating the instance, deleting the IAM Role or Key Pair, and implementing additional security measures to prevent similar incidents in the future.