3.3.2.4. Modifying Infrastructure Configurations in Response to Events

3.3.2.4. Modifying Infrastructure Configurations in Response to Events

Event-driven infrastructure modification closes the loop between detection and remediation — reducing mean time to repair from hours (human response) to seconds (automated response).

Common automated responses:

Instance isolation pattern (security incident response):

def isolate_instance(instance_id):
    ec2 = boto3.client('ec2')
    
    # Create isolation security group (no inbound, no outbound)
    isolation_sg = ec2.create_security_group(
        GroupName=f'isolation-{instance_id}',
        Description='Incident isolation - no traffic allowed',
        VpcId=vpc_id
    )
    # Remove all egress rules (default SG allows all outbound)
    ec2.revoke_security_group_egress(
        GroupId=isolation_sg['GroupId'],
        IpPermissions=[{'IpProtocol': '-1', 'IpRanges': [{'CidrIp': '0.0.0.0/0'}]}]
    )
    # Replace instance's security groups with isolation SG
    ec2.modify_instance_attribute(
        InstanceId=instance_id,
        Groups=[isolation_sg['GroupId']]
    )
    # Tag for investigation
    ec2.create_tags(Resources=[instance_id],
        Tags=[{'Key': 'SecurityStatus', 'Value': 'Isolated'}])

Exam Trap: When isolating a compromised instance, don't terminate it — you need it for forensic investigation. Replace its security groups with an empty one (no inbound/outbound), take an EBS snapshot for evidence, and tag it. If the exam asks about incident response for a compromised instance, termination is wrong — isolation and forensics is the correct approach.