0PricingLogin
AWS Security Academy · Lesson

Isolating a Resource for Forensics

Learn how to quarantine an instance while preserving evidence.

Why Isolate First

When an EC2 instance is compromised, your instinct may be to shut it down. Resist that. Powering off destroys volatile memory and may tip off the attacker.

Isolation cuts the resource off from the network and other systems while keeping it running and intact for analysis. Stop the spread without erasing the evidence.

Network Isolation

The fastest way to isolate an instance is to attach an empty, deny-all security group. Because security groups are stateful and apply to the instance directly, swapping in one with no rules halts essentially all new traffic.

Some teams keep a pre-made forensic isolation security group ready so containment is a single API call.

aws ec2 modify-instance-attribute \
  --instance-id i-0abc123 \
  --groups sg-forensic-isolation

All lessons in this course

  1. The Incident Response Lifecycle on AWS
  2. Building Runbooks for Common Events
  3. Isolating a Resource for Forensics
  4. Preparing an IR Account and Toolkit
← Back to AWS Security Academy