Halimah's Blog

Incident response: Amazon EC2 instance Auto Scaling Groups compromised, how to resolve

Azeez Halimat's photo
Azeez Halimat
·

2 min read

STEP ONE: Detach the instance from its auto scaling group and tag it:

To detach an instance from an existing Auto Scaling group

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/, and choose Auto Scaling Groups from the navigation pane.

  2. Select the check box next to your Auto Scaling group.

A split pane opens up in the bottom of the page.

  1. On the Instance management tab, in Instances, select an instance and choose Actions, Detach.

  2. When prompted for confirmation, type detach to confirm removing the specified instance from the Auto Scaling group, and then choose Detach instance.

How to add a tag

  1. select the instance

  2. click on action

  3. select instance setting

  4. click on manage tag

  5. click add new tag

  6. click on save

    STEP 2: Create a new security group that disallows both inbound and outbound traffic.

    To create a security group using the console

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Security groups.

    3. Choose Create security group.

    4. Enter a name and description for the security group. You cannot change the name and description of a security group after it is created.

    5. From VPC, choose the VPC.

    6. Do not add any inbound or outbound rule, delete any rule which was automatically created.

    7. You can add tags now, or you can add them later. To add a tag, choose Add new tag and enter the tag key and value.

    8. Choose Create security group.

STEP 3: Remove the instance current security group and replace it with the group that blocks inbound and outbound traffic

How to remove

  1. select the instance

  2. click on Action

  3. Select security

  4. Click on change security group

  5. Select the older sg and click on remove

  6. search for the new sg you created and select

  7. click on add new sg.

  8. click on save

STEP 4: Remove the IAM role from the instance (ensure no role is associated)

To detach an IAM role from an instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select the instance, choose Actions, Security, Modify IAM role.

  4. For IAM role, choose No IAM Role. Choose Save.

  5. In the confirmation dialog box, enter Detach, and then choose Detach.

STEP 5: Snapshot the instance's root volume for later analysis

To create a snapshot

  1. Select the instance

  2. click on storage

  3. click on the volume associated to the instance

  4. select action

  5. select create snapshot

    STEP 6: Create an AMI of the instance for later analysis.

Compiled by

Azeez halimat

isolated instan