In this article I would like to discuss Abuse Notice Strategies. Let’s assume you need to evaluate the suspected compromised instance. Where should we start? If your account has a suspected compromise, either at the key level or at the EC2 level, AWS will send an email with some details around that suspected compromise activity. From a customer perspective, it is up to you to then evaluate that compromised resource, such as an EC2 instance, to see if you can figure out whether or not you are truly being subject to a security event. You can start with GuardDuty, there’s a feature called VPC flow logs that allows you to view the incoming and outgoing traffic at different contexts. You can isolate your resource from the network using features like security groups. And you can even launch a replacement using backups in the form of an AMI.
If it is an access key that has been compromised, you have different strategies for mitigating this. You can look at the access advisor reports to determine which services have been accessed using that key and at what time.You can look at GuardDuty, or CloudTrail logs. Just these two options are going to provide a full audit trail of everything that’s happening in your AWS account. And you can take action in a form of disabling keys or creating new keys that replicate the functionality.
*This article is based on Pearson IT Education materials and Chad Smith lectures