What immediate action should the security engineer take?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group.The security engineer is concerned that this EC2 instance may be compromised.

What immediate action should the security engineer take?

Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis.

Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic.

Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan.

Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × 1 =