How to automate incident response for Amazon EKS on Amazon EC2

Security Blog

This article discusses how to automate incident response for Amazon EKS (Elastic Kubernetes Service) clusters running on Amazon EC2, addressing the unique challenges of handling security events in Kubernetes environments.

Key differences between EC2 and EKS incident response include:
- Multiple pods can run on a single EC2 instance
- Specialized tools like kubectl are needed for investigation
- Network isolation requires different approaches (cordoning nodes, network policies)
The solution provides an automated workflow for:
Detecting GuardDuty security findings
Capturing forensic evidence (memory and disk snapshots)
Isolating compromised EKS resources
Investigating forensic artifacts
The automated solution uses AWS services like:
Step Functions
EventBridge
Security Hub
Systems Manager

The article emphasizes the importance of understanding Kubernetes architecture and working closely with security and application teams when implementing automated incident response solutions.

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Apr 16
2025

Automate Amazon EKS troubleshooting using an Amazon Bedrock agentic workflow

Apr 15
2024

Automate incident reports from AWS Systems Manager Incident Manager

Apr 21
2026

Automated network incident response with AWS DevOps Agent

Jul 30
2024

Automate monitoring for your Amazon EKS cluster using CloudWatch Container Insights

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

How to automate incident response for Amazon EKS on Amazon EC2

Related articles