What to do when an instance(EC2) or system get compromised in AWS?

Steps to be taken incase of such activity:

  1. Isolate the Instance : so that it should not attack any other server in the network
  2. Perform an EBS snapshot
  3. Take a memory dump
  4. Perform forensics analysis
  5. Terminate the instance

Once the investigation is done, the instance can be terminated.

1 Like