Yesterday, I participated in AWS GameDay, a hands-on challenge designed to test real-world cloud problem-solving skills. The scenario was intense — our website, which was hosted on EC2 instances behind an Application Load Balancer (ALB), had been hacked and encrypted by ransomware! The task was to perform forensics on compromised instances, secure the infrastructure, and restore the application without losing valuable data or uptime.
The setup consisted of:
1 Application Load Balancer (ALB)
1 Auto Scaling Group (ASG) configured to always maintain two healthy EC2 instances
A website hosted on those EC2 instances, which was now showing an encrypted ransom message
Initially, our instinct was to detach and replace the EC2 instances behind the ALB. However, the new instances were also being compromised immediately — meaning the attack source was still active. It became clear we needed to isolate, protect, and then restore in a controlled way.
🧩 Step-by-Step Solution
1. Isolate the Compromised Instances
The first priority was to stop the spread of the attack.
We created a new Security Group with no inbound or outbound rules and then attached it to the compromised EC2 instances.
This effectively disconnected them from the network — keeping them intact for forensic analysis, while stopping any malicious activity from spreading to the new instances.
👉 After this step, the site naturally went down temporarily, as the instances were no longer reachable.
2. Enable AWS WAF for Protection and Monitoring
Next, we implemented AWS Web Application Firewall (WAF) to add an extra layer of protection.
WAF helps monitor and block suspicious traffic before it reaches your application.
We configured it with:
Managed rule groups (to protect against common web exploits)
Custom rules to block specific IPs and patterns we noticed in malicious traffic logs
This ensured that when new instances were launched, they wouldn’t be instantly compromised again.
3. Replace the Compromised Instances
With protection in place, it was safe to restore the website.
We navigated to the Auto Scaling Group (ASG) and used the “Detach and Replace” option.
This automatically:
Removed the compromised instances
Launched fresh, healthy EC2 instances
Registered them with the ALB
Once the new instances were up, the website came back online securely and began serving traffic normally.
✅ Final Outcome
By following this structured approach:
We preserved one compromised instance for forensic investigation.
We blocked the attack vector using AWS WAF.
We restored normal website operations using Auto Scaling automation.
It was a great learning experience in incident response, security hardening, and AWS operational best practices.
AWS GameDay not only tested our technical knowledge but also emphasized the importance of process, containment, and prevention in real-world security scenarios.
Top comments (0)