[{"data":1,"prerenderedAt":64},["ShallowReactive",2],{"workflow-ec2-instance-isolation-cdk-python":3},{"id":4,"title":5,"cleanup":6,"contributors":10,"deploy":13,"description":16,"diagram":17,"extension":18,"framework":19,"gitHub":20,"introBox":29,"level":41,"meta":42,"resources":43,"s3URL":52,"services":53,"simplicity":55,"stem":56,"testing":57,"type":61,"usecase":62,"videoId":28,"__hash__":63},"workflows\u002Fworkflows\u002Fec2-instance-isolation-cdk-python.json","EC2 Instance Isolation",{"headline":7,"text":8},"Cleanup",[9],"1. Delete the stack: \u003Ccode>cdk delete\u003C\u002Fcode>.",[11,12],"content\u002Fcontributors\u002Fjeremy-cianella.json","content\u002Fcontributors\u002Fstan-fan.json",{"text":14},[15],"cdk deploy","Isolate an EC2 instance suspected in a security incident","\u002Fassets\u002Fimages\u002Fworkflows\u002FEC2-Instance-Isolation-cdk-python.png","json","AWS CDK",{"template":21,"payloads":26},{"repoURL":22,"templateDir":23,"templateFile":24,"ASL":25},"https:\u002F\u002Fgithub.com\u002Faws-samples\u002Fstep-functions-workflows-collection\u002Ftree\u002Fmain\u002Fec2-instance-isolation-cdk\u002F","ec2-instance-isolation-cdk","python\u002Fapp.py","python\u002Fstatemachine\u002Fstatemachine.asl.json",[27],{"headline":28,"payloadURL":28},"",{"headline":30,"text":31},"How it works",[32,33,34,35,36,37,38,39,40],"This Step Functions workflow orchestrates the process of isolating an EC2 instance involved in a potential security anomaly.","Using all native API calls the step function: ","1. Captures the metadata from the Amazon EC2 instance","2. Protects the Amazon EC2 instance from accidental termination by enabling termination protection for the instance.","3. Isolates the Amazon EC2 instance by switching the VPC Security Group.","4. Detach the Amazon EC2 instance from any AWS Auto Scaling groups. Which will deregister the Amazon EC2 instance from any related Elastic Load Balancing service.","5. Snapshots the Amazon EBS data volumes that are attached to the EC2 instance for preservation and follow-up investigations.","6. Tags the Amazon EC2 instance as quarantined for investigation, and add any pertinent metadata, such as the trouble ticket associated with the investigation.","7. Creates a forensic instance with the EBS volume from the suspected instance and allows ingress to the quarantined instance.","200",{},{"headline":44,"bullets":45},"Additional Resources",[46,49],{"text":47,"link":48},"AWS Security Incident Response Guide","https:\u002F\u002Fdocs.aws.amazon.com\u002Fwhitepapers\u002Flatest\u002Faws-security-incident-response-guide\u002Fwelcome.html",{"text":50,"link":51},"Orchestrating a security incident response with AWS Step Functions","https:\u002F\u002Faws.amazon.com\u002Fblogs\u002Fcompute\u002Forchestrating-a-security-incident-response-with-aws-step-functions\u002F",null,[54],"ec2","3 - Application","workflows\u002Fec2-instance-isolation-cdk-python",{"headline":58,"text":59},"Testing",[60],"See the GitHub repo for detailed testing instructions.","Standard","Security Automation","8dkm8e2UKiQPMBFRINHrRzIWRfWXAq8cSAytXh1rRb8",1778846889070]