While the code of the containers is being patched, how can Engineers quickly identify all compromised hosts and stop the egress of data on port 5353?
Enable AWS Shield Advanced and AWS WAF. Configure an AWS WAF custom filter for egress traffic on port 5353
Enable Amazon Inspector on Amazon ECS and configure a custom assessment to evaluate containers that have port 5353 open. Update the NACLs to block port 5353 outbound.
Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.
Use Amazon Athena to query AWS CloudTrail logs in Amazon S3 and look for any traffic on port 5353. Update the security groups to block port 5353 outbound.
Explanations:
AWS Shield Advanced and AWS WAF are designed to protect against DDoS and web application attacks, but they do not directly help with identifying or stopping egress traffic on port 5353.
Amazon Inspector is used to assess vulnerabilities in containers, but it does not directly detect or block egress traffic. Updating NACLs to block port 5353 outbound is a good step but doesn’t address the root issue effectively.
Creating a custom metric on VPC Flow Logs will allow detection of egress traffic on port 5353, and updating NACLs will immediately block the outbound traffic on port 5353, stopping the data exfiltration.
CloudTrail logs do not directly track network traffic or port-specific egress. Athena can query CloudTrail logs, but it is not the most efficient method for identifying and blocking egress traffic on port 5353.
From my perspective, the answer is:
Create an Amazon CloudWatch custom metric on the VPC Flow Logs identifying egress traffic on port 5353. Update the NACLs to block port 5353 outbound.