One of your company's EC2 Instances has been compromised.
The company has strict policies and needs a thorough investigation on finding the culprit for the security breach.
What would you do in this case? Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answers: A, B, and C.
Option A is CORRECT because capturing a snapshot of the EBS volume can help with further investigation.
If you need to shut down the initial instance, you can still launch the instance with the snapshot and do a separate investigation on the new instance.
Option B is CORRECT because the first step would be to isolate the instance so that no further security harm can occur on other AWS resources.
Option C is CORRECT because this indicates that we have already retrieved logs, and we need to make sure that they have been stored securely so that no unauthorized person can access them and manipulate them.
Option D is incorrect because changing IAM credentials would affect all the users on the AWS account, including the ones using different services and environments (DEV/TEST/PROD).
Option E is incorrect because changing access keys would affect all the users on the AWS account, including the ones using different services and environments (DEV/TEST/PROD).
Note:
For more information on adopting a security framework, kindly refer to the below URL:
https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdfIn the event that an EC2 instance has been compromised, the company should take immediate action to investigate the incident and prevent any further damage. Here are the recommended steps to take in this case:
Isolate the machine from the network: The first step in any security incident is to isolate the compromised machine from the network to prevent any further damage or data exfiltration. This will also ensure that the attacker cannot use the machine as a launchpad for further attacks.
Take a snapshot of the EBS volume: Once the machine is isolated, it is essential to take a snapshot of the EBS volume attached to the instance. The snapshot can be used to create a copy of the compromised data, which can then be analyzed to determine the extent of the damage and identify the cause of the breach.
Ensure that the application logs are stored securely for auditing and troubleshooting purpose: It is crucial to ensure that all application logs related to the compromised machine are stored securely for auditing and troubleshooting purposes. This information can be used to determine the scope and cause of the breach and help prevent future incidents.
Ensure all passwords of all IAM users are changed: In addition to taking the above steps, it is also important to reset all passwords for all IAM users who have access to the compromised machine. This will ensure that any potential unauthorized access to the machine is prevented.
Ensure that all access keys are rotated: Finally, it is also important to rotate all access keys associated with the compromised machine. This will prevent any further access by the attacker even if they managed to steal the access keys during the attack.
Overall, by taking these steps, the company can ensure that they are responding quickly and effectively to the security incident, limiting the damage caused by the breach, and preventing any future incidents.