Spotlight: Auto Remediation of Compromised Instance in AWS Environment

Introduction

Applying security best practices to cloud environments is always a challenging role. The security team always works the same to mitigate and reduce the impact of it on the businesses. As a part of running virtual servers such as EC2 instances on AWS cloud for various workloads, AWS always provides innovative security services to patch incidents quickly without manual intervention.

What is a Compromised Instance?

An Instance or Virtual machine is said to be compromised if it has been attacked and intruders have gained unauthorized access to it to harm, exploit flaws, and access sensitive information.

Services Considered to be Used

1. EC2 Instance: This is nothing but a virtual machine/virtual server running inside an AWS Cloud environment where users need access using remote login protocols such as SSH, RDP, etc.
2. Amazon GuardDuty: GuardDuty is an AWS service that uses machine learning algorithms and threat intelligence to analyze and monitor AWS account activity, network traffic, and AWS CloudTrail logs for indicators of compromise (IOCs) and suspicious behavior. It can detect common attack patterns, such as unauthorized access attempts, unusual API calls, reconnaissance activities, and compromised instances.
3. Amazon EventBridge: It is a successor to the Amazon CloudWatch service. With EventBridge, you can define rules that match events from different sources, such as AWS services, third-party applications, or custom applications, and specify targets for those events. The events can include system events (e.g., AWS CloudTrail events), custom application events, or events generated by SaaS providers (e.g., Stripe, Zendesk).
4. AWS STEP function: AWS Step Functions is a serverless workflow service that Amazon Web Services (AWS) provides. With Step Functions, you can design and visualize your workflows as state machines. Each state represents a step in your workflow, and the transitions between states define the flow of execution. Each state can perform specific tasks, such as calling AWS Lambda functions, running AWS Batch jobs, waiting for a specific period, making API calls to other services, or performing error handling and branching based on conditions.
5. AWS Simple Notification Service (SNS): AWS SNS (Simple Notification Service) is a fully managed pub/sub messaging service provided by Amazon Web Services (AWS). It enables you to send notifications and messages to subscribers or other systems in a highly scalable and reliable manner.

6. AWS Lambda: AWS Lambda is a serverless compute service provided by Amazon Web Services (AWS). It allows you to run your code without provisioning or managing servers, providing a flexible and scalable way to build applications and services.

Step by Step Guide to Auto Remediate

Here is the step-by-step guide to automating the quick remediation of compromised virtual servers, such as EC2 machines running inside the AWS cloud Environment.

Fig. 1 Automated workflow to detect comprised instance in AWS Environment

Whenever the instance gets compromised due to an attack, it is very difficult to know if we don’t follow and consume AWS’s best Innovate security services or must go with manual observation.

Step 1:

By Using AWS intelligent threat detection services such as Amazon GuardDuty, threats such as compromised hosts can easily be detected by AWS EventBridge, the successor of Cloud Watch, for further steps and will notify the immediately to owner through the SNS topic about the incident.

Step 2:

EventBridge will trigger a step function after an event occurs, which helps to automate business workflow; here, it will have Lambda Function as a part of the flow inside a state machine.

Step 3:

It is best practice to remove the VM from the actual production environment where traffic is reaching and remove the security group which handles actual traffic and the Role the affected one assumes to stop and avoid malpractices.

Step 4:

Lambda will have logic or code written to change the configuration settings of Compromised instances, making it in a safe environment by taking snapshot automation for further forensic analysis to know the root cause but not moving with terminating the instance.

Step 5:

After remediation also, it must be notified to SNS topic that remediation has been taking place by looking at the scenario.

Conclusion

Thus, whenever the compromised state of the Virtual server in the AWS environment is our concern, there is auto-remediation with the simplest approach of considering Amazon Innovate service to know about incidence always a preferable way.

There are many ways to automate the logic to identify the compromise of the machine with various logs and consider their analysis. Still, AWS Innovate services, called as aws managed service, are always the best approach to consider.

About CloudThat