Remediating a potentially compromised standalone container
-
Isolate the potentially compromised container
The following steps will help you identify identify the potentially malicious container workload:
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
. -
On the Findings page, choose the corresponding finding to view the findings panel.
-
In the findings panel, under the Resource affected section, you can view the container's ID and Name.
Isolate this container from other container workloads.
-
Pause the container
Suspend all the processes in your container.
For information about freezing your container, see Pause a container.
Stop the container
If the step above fails, and the container doesn't pause, stop the container from running. If you've enabled the Snapshots retention feature, GuardDuty will retain the snapshots of your EBS volumes that contain malware.
For information about stopping the container, see Stop a container
. -
Evaluate the presence of malware
Evaluate if malware was in the container's image.
If the access was authorized, you can ignore the finding. The https://console.aws.amazon.com/guardduty/