EC2 Instance Isolation with Tags

Automatically tag EC2 instances to enable automated isolation for incident response and security containment.

Overview

EC2 instances can be automatically isolated (contained) during security incidents by applying specific tags. This enables rapid incident response by logically isolating compromised or suspicious instances from the network. TagOps can automatically apply isolation tags to instances, ensuring they are consistently included in automated isolation workflows.

What TagOps Can Do

TagOps can automatically tag EC2 instances with the tags required for automated isolation:

  • Automatic Tagging: TagOps rules automatically apply isolation tags like Isolation: Required or Containment: True to EC2 instances when they are created or discovered
  • Conditional Tagging: Create rules to tag only specific instances based on security criteria (e.g., instances matching threat indicators, instances in certain regions, or instances with specific characteristics)
  • Incident Response Integration: Tag instances automatically as part of security incident response workflows (e.g., when GuardDuty detects threats or when security analysts identify suspicious activity)
  • Consistent Coverage: Ensure all instances that need isolation have the required tags, enabling rapid containment during security events
  • Environment-Based Tagging: Use different tag values for different environments to enable separate isolation policies (e.g., Isolation: Production, Isolation: Development)

Example TagOps Rule

Create a TagOps rule to automatically tag instances for isolation:

  • Condition: Resource type is ec2:instance and tag SecurityStatus equals Compromised
  • Action: Add tag Isolation: Required

TagOps will automatically apply these tags to instances, which can then trigger Lambda functions or other automation tools to isolate the instance by applying isolation security groups, disassociating IAM roles, and preventing network communication.

Additional Resources