0PricingLogin
AWS Security Academy · Lesson

Quarantining a Compromised EC2 Instance

Cut an infected workload off with restrictive security groups.

When to Quarantine

If GuardDuty or your monitoring shows an EC2 instance making malicious outbound connections, mining crypto, or scanning your network, it needs to be quarantined.

Quarantine isolates the instance from everything else so it can do no further harm, while keeping it alive for investigation rather than wiping the evidence.

Security Group Swap

The cleanest quarantine is to replace the instance's security groups with a single forensic group that has no inbound rules and, ideally, no outbound rules.

Because security groups are stateful and instance-attached, this immediately severs essentially all new connections without touching anything else in the subnet.

aws ec2 modify-instance-attribute \
  --instance-id i-0abc123 \
  --groups sg-quarantine

All lessons in this course

  1. Signs of Leaked Access Keys
  2. Revoking and Rotating Exposed Secrets
  3. Quarantining a Compromised EC2 Instance
  4. Snapshotting Volumes for Forensics
← Back to AWS Security Academy