In the world of cloud computing, security is paramount. Unfortunately, even the most stringent security measures may not be enough to prevent all breaches. If your Amazon EC2 instance becomes compromised, swift and decisive actions are essential to mitigate the damage and investigate the breach.

Here is a step-by-step guide to addressing a compromised EC2 instance using the AWS Command Line Interface (AWS CLI):

Step 1: Capture the Instance Metadata

The first step is to gather information about the compromised instance. You can use the EC2 metadata utility to retrieve this information. Here is an example command to fetch metadata:

TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/

This command will display all available categories of metadata for your instance.

Step 2: Enable Termination Protection

Next, enable termination protection to prevent the instance from being accidentally terminated. You can do this using the modify-instance-attribute command:

aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --no-disable-api-termination

This command ensures that the instance cannot be inadvertently deleted, preserving it for investigation.

Step 3: Isolate the Instance

To prevent potential outbound traffic from propagating the security threat, isolate the compromised instance. This can be done by changing the instance's security group. Here's an example command:

aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --groups sg-0abcd1234efgh5678

This command changes the security group to one that blocks all outbound traffic.

Step 4: Detach from Auto Scaling Group (ASG)

If the compromised instance is part of an ASG, it's important to detach it to prevent it from affecting other instances. Here's how to suspend processes using the AWS CLI:

aws autoscaling suspend-processes --auto-scaling-group-name my-asg

This command suspends activities in the Auto Scaling group, preventing it from launching or terminating other instances.

Step 5: Deregister from Load Balancer

Next, deregister the compromised instance from any attached load balancer to stop it from receiving traffic. Here's how to do this with the AWS CLI:

aws elbv2 deregister-targets --target-group-arn my-target-group-arn --targets Id=i-1234567890abcdef0

This command removes the compromised instance from the target group of the load balancer.

Step 6: Snapshot Elastic Block Store (EBS)

For a deep analysis of the breach, create a snapshot of your EBS volumes using the create-snapshot command:

aws ec2 create-snapshot --volume-id vol-049df61146f12f2ad --description "Snapshot for incident investigation"

This command creates a snapshot of the specified EBS volume, allowing you to analyze your data at the time of the incident.

Step 7: Tag the Instance

Finally, tag the compromised instance with details of the investigation ticket using the create-tags command:

aws ec2 create-tags --resources i-1234567890abcdef0 --tags Key=Investigation,Value=TicketNumber123

This command adds a tag to the instance, helping to track and document the incident for future reference and audits.

After securing the compromised instance and gathering necessary data, you can proceed with the investigation. Depending on the nature of your investigation, you can either shut down the instance for offline analysis or continue with an online investigation.

Offline Investigation

For an offline investigation

Shutting down the instance and analyzing the EBS snapshot is a common method for offline investigation.

Online Investigation

Online investigations can involve capturing network traffic or snapshotting the memory of the compromised instance. Here are some basic Linux commands to do this:

To capture network traffic, you can use the tcpdump utility. This command will save the network traffic on the eth0 interface to a file:

sudo tcpdump -i eth0 -w /path/to/savefile.pcap

To snapshot the memory, you can use the LiME (Linux Memory Extractor) tool. Here is a basic usage example:

sudo lime /path/to/lime.ko "path=/path/to/output.lime format=lime"

Please remember that these are initial steps to take when your EC2 instance is compromised. Depending on the scale and nature of the compromise, you might need to involve your organization's security team and contact the AWS Support too.