Study Guides > AWS Cybersecurity Notes > Isolating EC2 Instances for Forensic Inspection

The best eay to do this is through the creation of a forensic account.

• Keeping the EC2 instacne inside the production account can be dangeriouous.

• Any malcious software could spread to other production systems.

Isolate it

• Isolate the problem instance from everything else.

• Remove it from the production network.

• Prevent access to the instance.

How to isolate

• Creare a snapshot of the instance.

• Share the snapshot with the forensic account.

• Take a memory dump fo the insance if possible.

• Change the security group of a instance to isolate it quickly.

• This approach also preserves as much evidence as possible.

• Any changes you make may appear on logs - this is bad for the investigation.