Cloud Incident Response Blog | Cado Security

AWS EC2 Incident Response

Written by jbowen@cadosecurity.com | Aug 25, 2022 1:07:35 PM

The cloud is complex. Data can be extremely difficult to access, or worse, disappear in the blink of an eye. With more organizations shifting to the cloud, it is essential that security teams to have the ability to efficiently investigate and respond to a potential compromise.

This blog covers some best practices and useful resources when responding to security incidents in AWS EC2.

In the event you’ve identified a potentially compromised AWS EC2 instance, there are a number of immediate actions you can take:

  • Change the security group to one that doesn’t allow any outbound internet access to limit the possibility of data theft.
  • Identify if there was an Instance Profile attached to the EC2. If there was, check CloudTrail logs to see if it may have been abused to access other resources in AWS.
  • Take a snapshot of the EC2 to enable forensic analysis later on.

Community Resources

Official AWS Resources

AWS provides a number of experimental solutions to help isolate, preserve and analyze compromised EC2 systems. A few key ones to play with include:

Cado Security Resources

At Cado, we’ve published a video tutorial on how to investigate a compromised EC2 Instance. You can leverage the Cado Investigation and Response Automation Platform to expedite incident response of potentially compromised EC2 systems. Cado seamlessly integrates with existing security solutions so that organizations can seamlessly drive an automated response framework to ensure critical evidence is captured, processed and preserved immediately following incident detection.

For more, see our playbook: Ultimate Guide to Incident Response in AWS.


Example analysis of a compromised AWS EC2 System in the Cado platform


Example analysis of a compromised AWS EC2 System in the Cado platform

Interested in performing your own investigation using the Cado platform? Check out the 14-day free trial.