Isolate an EC2 instance suspected in a security incident
This Step Functions workflow orchestrates the process of isolating an EC2 instance involved in a potential security anomaly.
Using all native API calls the step function:
1. Captures the metadata from the Amazon EC2 instance
2. Protects the Amazon EC2 instance from accidental termination by enabling termination protection for the instance.
3. Isolates the Amazon EC2 instance by switching the VPC Security Group.
4. Detach the Amazon EC2 instance from any AWS Auto Scaling groups. Which will deregister the Amazon EC2 instance from any related Elastic Load Balancing service.
5. Snapshots the Amazon EBS data volumes that are attached to the EC2 instance for preservation and follow-up investigations.
6. Tags the Amazon EC2 instance as quarantined for investigation, and add any pertinent metadata, such as the trouble ticket associated with the investigation.
7. Creates a forensic instance with the EBS volume from the suspected instance and allows ingress to the quarantined instance.
< Back to all workflows
Clone repo
git clone https://github.com/aws-samples/step-functions-workflows-collection/tree/main/ec2-instance-isolation-cdk/cd step-functions-workflows-collection/ec2-instance-isolation-cdk
Deploy
cdk deploy
Testing
See the GitHub repo for detailed testing instructions.
Cleanup
1. Delete the stack:
cdk delete.Additional Resources
Created by:
