EC2 Resource Isolation – Incident Response – SCS-C02 Study Guide

EC2 Resource Isolation

Assume you have an EC2 instance initiating unexpected API behavior. This has been identified as an anomaly and is considered to be an abnormal operation. As a result, this instance is showing signs of being a potentially compromised resource. Until you have identified the cause, you must isolate the resource to minimize the effect, impact, and potential damage that could occur to other resources within your AWS account. This action should be undertaken immediately. By isolating the instance, you prevent any further connectivity to and from it, minimizing the chances of data being removed. After creating a copy of the EC2 instance using an Amazon Machine Image (AMI), you should then terminate the initial instance which you have quarantined to stop any further misuse of it.

The quickest and most effective way to isolate an instance would be to change its associated security group with one that would prevent any access to or from the instance. As an additional precaution, you should remove any roles associated with the instance.

To perform a forensic investigation of the affected resources, you will want to move the EC2 instance to your forensic account (discussed previously). However, moving the same instance to a different AWS account is impossible. Instead, you will need to perform the following high-level steps:

  1. First, create an AMI from the affected EC2 instance.
  2. Share the newly created AMI image with your forensic account by modifying the AMI permissions.
  3. From within your forensic account, locate the AMI from within the EC2 console or AWS CLI.
  4. Finally, create a new instance from the shared AMI.

Note

For detailed instructions on how to carry out each of these steps, please visit the following AWS documentation: https://packt.link/nMVwx.

Copying Data

Again, following the previous example of a compromised EC2 instance, assume that the instance was backed by EBS storage. You may want to isolate and analyze the storage from this instance from within your forensic account, which can be achieved through EBS snapshots. These snapshots are essential incremental backups of your EBS volumes.

Creating a snapshot for your EBS volumes is a simple process:

  1. Select the EC2 service from the Compute category within the AWS Management Console.
  2. Select Volumes from under the Elastic Block Store menu heading on the left:

Figure 4.4: Elastic block store menu

  • Select your volume from the list of volumes displayed:

Figure 4.5: Volumes list

  • Select the Actions menu and select Create snapshot:

Figure 4.6: The Actions menu

  • Add a description and any tags that are required:

Figure 4.7: Create snapshot

  • Select Create snapshot. At this point, you will get a message at the top of the console stating that the requested snapshot has succeeded:

Figure 4.8: Success message for snapshot creation

  • Click on Close.
  • You can now ensure that your snapshot has been created by selecting Snapshot from under the Elastic Block Store menu on the left:

Figure 4.9: Elastic block store menu—Snapshots

  • From here, you will see your newly created snapshot:

Figure 4.10: Snapshots list

As you can see, creating an EBS snapshot of your volumes is a straightforward process.

Similarly, for AMI images, you must modify the permissions of your EBS snapshots to share them from within another account. For more information on how to do this, please visit the following link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html.

Once the snapshot has been shared with the forensic account, IR engineers will be able to recreate the EBS volume from the snapshot.