Infrastructure Domain Incidents - AWS Security Incident Response Guide

Infrastructure Domain Incidents

The infrastructure domain typically includes your application’s data or network-related activity, such as the traffic to your Amazon EC2 instances within the VPC and the processes running in your Amazon EC2 instance operating systems.

For example, assume that your monitoring solution notified you of a potential security anomaly on your Amazon EC2 instance. The following actions are common steps to address this issue:

  1. Capture the metadata from the Amazon EC2 instance, before you make any changes to your environment.

  2. Protect the Amazon EC2 instance from accidental termination by enabling termination protection for the instance.

  3. Isolate the Amazon EC2 instance by switching the VPC Security Group. However, be aware of VPC connection tracking and other containment techniques.

  4. Detach the Amazon EC2 instance from any AWS Auto Scaling groups.

  5. Deregister the Amazon EC2 instance from any related Elastic Load Balancing service.

  6. Snapshot the Amazon EBS data volumes that are attached to the EC2 instance for preservation and follow-up investigations.

  7. Tag the Amazon EC2 instance as quarantined for investigation, and add any pertinent metadata, such as the trouble ticket associated with the investigation.

You can perform all of the preceding steps using the AWS APIs, AWS SDKs, AWS CLI, and AWS Management Console. To interact with AWS using these methods, the IAM service helps you securely control access to AWS resources. You use IAM to control who is authenticated and authorized to use resources at the Account Level. The IAM service provides the authentication and authorization for you to perform these actions and interact with the service domain.

A snapshot of an Amazon EBS volume is a point-in-time, block-level copy of an EBS data volume, which occurs asynchronously and might take time to complete, but it is a delta of that data going forward. You can create new EBS volumes from these copies and mount them to the forensic EC2 instance for deep analysis offline by forensic investigators. The following diagram shows a simplified version of the outcome, and does not describe all of the network components (such as subnets, routing tables, and network access control lists).

Figure 6: EC2 Instance Isolation and Snapshots