Remediating a potentially compromised Amazon EC2 instance - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating a potentially compromised Amazon EC2 instance

Follow these recommended steps to remediate a potentially compromised EC2 instance in your Amazon environment:

  1. Identify the potentially compromised Amazon EC2 instance

    Investigate the potentially compromised instance for malware and remove any discovered malware. You may use On-demand malware scan to identify malware in the potentially compromised EC2 instance, or check Amazon Web Services Marketplace to see if there are helpful partner products to identify and remove malware.

  2. Isolate the potentially compromised Amazon EC2 instance

    If possible, use the following steps to isolate the potentially compromised instance:

    1. Create a dedicated Isolation security group.

    2. Create a single rule of 0.0.0.0/0 (0-65535) for all traffic in the outbound rules.

      When this rule applies, it will convert all the existing (and new) outbound traffic to untracked, blocking any established outbound sessions. For more information, see Untracked connections.

    3. Remove all the current security group associations from the potentially compromised instance.

    4. Associate the Isolation security group with this instance.

      After associating, delete the rule 0.0.0.0/0 (0-65535) for all traffic from the outbound rules of the Isolation security group.

  3. Identify the source of the suspicious activity

    If malware is detected, then based on the finding type in your account, identify and stop the potentially unauthorized activity on your EC2 instance. This may require actions such as closing any open ports, changing access policies, and upgrading applications to correct vulnerabilities.

    If you are unable to identify and stop unauthorized activity on your potentially compromised EC2 instance, we recommend that you terminate the compromised EC2 instance and replace it with a new instance as needed. The following are additional resources for securing your EC2 instances:

  4. Browse Amazon Web Services re:Post

    Browse Amazon Web Services re:Post at https://forums.aws.amazon.com/index.jspa for further assistance.

  5. Submit a technical support request

    If you are a premium support package subscriber, you can submit a technical support request.