Remediating a potentially compromised standalone container - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Remediating a potentially compromised standalone container

  1. Isolate the potentially compromised container

    The following steps will help you identify identify the potentially malicious container workload:

    • Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

    • On the Findings page, choose the corresponding finding to view the findings panel.

    • In the findings panel, under the Resource affected section, you can view the container's ID and Name.

    Isolate this container from other container workloads.

  2. Pause the container

    Suspend all the processes in your container.

    For information about freezing your container, see Pause a container.

    Stop the container

    If the step above fails, and the container doesn't pause, stop the container from running. If you've enabled the Snapshots retention feature, GuardDuty will retain the snapshots of your EBS volumes that contain malware.

    For information about stopping the container, see Stop a container.

  3. Evaluate the presence of malware

    Evaluate if malware was in the container's image.

If the access was authorized, you can ignore the finding. The https://console.amazonaws.cn/guardduty/ console allows you to set up rules to entirely suppress individual findings so that they no longer appear. The GuardDuty console allows you to set up rules to entirely suppress individual findings so that they no longer appear. For more information, see Suppression rules.