Remediating a potentially compromised ECS cluster - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating a potentially compromised ECS cluster

Follow these recommended steps to remediate a potentially compromised Amazon ECS cluster in your Amazon environment:

  1. Identify the potentially compromised ECS cluster.

    The GuardDuty Malware Protection finding for ECS provides the ECS cluster details in the finding's details panel.

  2. Evaluate the source of malware

    Evaluate if the detected malware was in the container's image. If malware was in the image, identify all other tasks which are running using this image. For information about running tasks, see ListTasks.

  3. Isolate the potentially impacted tasks

    Isolate the impacted tasks by denying all ingress and egress traffic to the task. A deny all traffic rule may help you stop an attack that is already underway, by severing all the connections to the task.

If the access was authorized, you can ignore the finding. The https://console.amazonaws.cn/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules.