What is the first step the security engineer should take?
Open the EC2 console and remove any security groups that allow inbound traffic from 0.0.0.0/0.
Install the AWS Systems Manager Agent on the EC2 instance and run an inventory report.
Install the Amazon Inspector agent on the host and run an assessment with the CVE rules package.
Open the IAM console and revoke all IAM sessions that are associated with the instance profile.
Explanations:
Removing security groups that allow inbound traffic from 0.0.0.0/0 is a reactive measure that addresses external access but does not directly revoke the credentials that the malicious actor is using. This option does not mitigate the immediate threat posed by the compromised access keys.
Installing the AWS Systems Manager Agent and running an inventory report is a maintenance task that does not address the unauthorized access issue. It does not prevent the malicious actor from continuing to use the compromised credentials and is not an immediate response to the finding.
Installing the Amazon Inspector agent and running an assessment does not address the immediate threat of unauthorized access. While it’s important for security assessments, this action does not directly mitigate the risk from the compromised credentials used by the malicious actor.
Revoking all IAM sessions associated with the instance profile immediately cuts off access for the malicious actor who is using the compromised API access keys. This is the most direct and effective response to the unauthorized access alert provided by GuardDuty.