Skip to content

Field Notes

AWS EC2 Blocked for Outbound Abuse: Investigation and Recovery

An incident-response workflow for AWS abuse notices, suspicious outbound SSH behavior, containment, evidence review and staged restoration.

EC2 incident-response workflowAWS noticeIsolatePreserve evidenceInvestigateRebuild / restoreMonitor
EC2 incident-response workflow
Recovery stage Action Evidence required
Contain Restrict unnecessary egress Flow and connection records
Investigate Correlate host and AWS evidence Timeline and preserved volume
Restore Use trusted build or controlled path Clean baseline and staged monitoring
On this page

Environment covered: AWS EC2, VPC, Linux, NACLs, security groups and web workloads

Incident context

Outbound abuse reports often arrive with limited public detail. Treat the instance as potentially compromised until evidence proves otherwise, especially when the report mentions outbound SSH, scanning or repeated connection attempts.

Notify stakeholdersContain egressPreserve evidenceInvestigate persistenceStage restoration

Immediate containment

  • Snapshot the instance or attached volumes before invasive cleanup.
  • Restrict outbound traffic with security groups or NACLs while preserving DNS and NTP when needed.
  • Avoid deleting suspicious files before recording paths, owners and timestamps.
  • Move public exposure behind maintenance controls if the workload is customer-facing.

Preserve evidence

last -a
sudo ss -plant
sudo ps auxfw
sudo crontab -l
sudo find /tmp /var/tmp /dev/shm -maxdepth 2 -type f -mtime -3 -ls

Web RCE can produce outbound traffic through wget, curl, tar extraction, reverse shells or dropped scripts. Review web access logs, application upload paths, shell history, cron, SSH keys and systemd units.

Temporary containment should block unnecessary outbound destinations without breaking required DNS, time sync, package mirrors or monitoring paths. Long-term prevention can include VPC endpoints, NAT gateway controls, AWS Network Firewall or explicit proxy patterns.

  • Patch the vulnerable web entry point or remove the exposed component.
  • Rotate credentials that may have been readable from the instance.
  • Restore outbound rules gradually and watch flow logs.
  • Reply to AWS with containment, root-cause and prevention actions once evidence is ready.

Record the AWS notice time, instance ID, public and private addresses, security-group changes, deployments and first observed suspicious connection. Use CloudTrail to establish who changed network or IAM controls. Preserve EBS snapshots and copy volatile facts such as processes, sockets, logged-in users and loaded units before rebooting. A reboot may stop abuse, but it also destroys useful memory and process evidence.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=i-0123456789abcdef0
aws ec2 describe-flow-logs
sudo ss -tpna
sudo lsof -nP +L1
sudo systemctl list-units --type=service --state=running

Security groups are stateful and cannot express deny rules. Replacing egress with a narrow allow-list can contain common abuse, but existing connections may persist briefly. A subnet NACL can enforce a deny, although an incorrect rule can also cut SSM, DNS and response traffic. For high-confidence isolation, move a forensic copy into an isolated subnet and stop the original only after evidence and business continuity are protected.

Do not trust the instance to investigate itself

A compromised root user can alter ps, logs and shell utilities. Compare host findings with external evidence: VPC Flow Logs, load-balancer logs, CloudFront logs, GuardDuty findings, DNS query logs and AWS API history. Mount a snapshot read-only on a clean analysis host when file integrity matters.

Trace the initial access path

Work backward from the first suspicious outbound flow. Correlate its source port and process window with web requests, authentication logs and deployment changes. For a web workload, inspect upload directories, writable plugin or theme paths, recently modified PHP files, unexpected executables and child processes spawned by the web-server UID. For SSH, review authorized_keys, failed logins and source addresses rather than assuming password compromise.

sudo journalctl --since '2026-07-13 00:00:00' --output=short-iso
sudo find /var/www /tmp /var/tmp /dev/shm -xdev -type f -newermt '2026-07-13' -printf '%TY-%Tm-%Td %TT %u %m %pn'
sudo grep -RInE 'curl|wget|base64_decode|shell_exec' /var/www --include='*.php'

Decide whether to clean or rebuild

Rebuilding from a trusted image is the default when root compromise, unknown persistence or credential exposure is plausible. In-place cleaning is defensible only when the entry point and complete change set are bounded, integrity can be established, and rebuild risk is greater than residual compromise risk. Preserve the old volume for analysis; do not use it as the source of executable application code.

Credential and data exposure review

  • Rotate instance-readable application, database and API credentials.
  • Invalidate unexpected SSH keys and review IAM role use in CloudTrail.
  • Check whether IMDSv1 was enabled and require IMDSv2.
  • Review object-store and database access from the incident role.
  • Notify data owners if logs show access beyond the expected workload.

Controlled restoration

Deploy a patched workload from trusted source, restore only reviewed data, then open required egress by destination and port. Watch Flow Logs and process creation during each stage. Validate application behavior, SSM access, DNS, time synchronization and monitoring before public traffic returns. Send AWS a concise timeline covering containment, identified entry point, credential rotation and preventive controls.

Prevention controls

  • Use IMDSv2 and least-privilege instance roles.
  • Keep application code immutable and uploads non-executable.
  • Centralize logs where the host cannot rewrite history.
  • Baseline outbound destinations and alert on unusual ports or volume.
  • Patch internet-facing components and rehearse clean rebuilds.

For WordPress, Drupal or PHP, compare core, plugin, module and theme files with trusted release artifacts. Treat writable code directories, executable uploads and unexpected administrator accounts as high-value findings. Search access logs for requests immediately before child processes or newly written files appeared, including encoded parameters and upload endpoints. A malicious-looking file is evidence, not automatically the initial access path; it may be a second-stage payload dropped through a different vulnerable component.

For containerized workloads on EC2, preserve container metadata, image digests, overlay paths and orchestration events. A clean host filesystem does not exclude a compromised container, and replacing a container does not remove a stolen IAM credential. Review task or instance role calls from CloudTrail, Secrets Manager and SSM access, registry pulls and deployment identities. Determine whether the attacker could reach the Docker socket or host namespace, because that changes the trust boundary for rebuilding.

List each required outbound dependency with owner, destination, protocol and business reason. Restore DNS and time first when they are controlled, then monitoring and required application APIs. Observe flow volume and destination changes between gates. Avoid broad HTTPS egress as a convenience if the workload can use VPC endpoints, an explicit proxy or stable provider ranges. The goal is not a permanently disconnected server; it is a network policy whose normal behavior is understandable enough that the next anomaly is visible.

A useful closure report states what was observed, when containment occurred, what entry path was confirmed or remains uncertain, which credentials were rotated, how the replacement was built and what controls changed. Distinguish facts from hypotheses. Include monitoring duration after restoration and the owner for remaining actions. For AWS, answer the reported behavior directly and provide enough containment and prevention detail to show the resource is no longer a threat without exposing private customer data.

After recovery, rehearse the same process using a benign outbound test from a disposable instance. Confirm Flow Logs arrive quickly enough, alerts identify the source, isolation preserves SSM or the chosen access path, and a trusted image can be deployed with reviewed data. Recovery speed comes from prepared evidence sources and immutable deployment, not from becoming faster at cleaning an unknown host.

Incident Closure Checklist

Evidence preserved

  • Original AWS notification recorded
  • Relevant Flow Logs and CloudTrail events captured
  • Snapshot or forensic copy retained
  • Volatile host state documented before reboot

Entry path addressed

  • Vulnerable component patched or removed
  • Writable code and upload paths reviewed
  • Persistence mechanisms checked
  • Fleet-wide exposure assessed

Credentials reviewed

  • Instance-readable credentials rotated
  • Unexpected SSH keys removed
  • IAM activity reviewed
  • Data-access scope evaluated

Trusted restoration

  • Replacement built from trusted source
  • Only reviewed data restored
  • Egress restored in controlled stages
  • Monitoring verified after reopening traffic

Incident closure

  • AWS response completed
  • Residual uncertainty documented
  • Monitoring window defined
  • Follow-up owners assigned

References and further reading

Related technical guidance

Need a second set of eyes?

Working through a similar production issue?

Discuss the technical context