Topic 1 Question 197

AWS Certified Security - Specialty

Topic 1 Question 197
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes.

A security engineer needs to preserve all forensic evidence from one of the instances.

Which order of steps should the security engineer use to meet this requirement?
- Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.
- Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.
- Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance.
- Detach the instance from the Auto Scaling group. Deregister the instance from the ALB Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.
ユーザの投票
コメント(14)
- 正解だと思う選択肢: B
  The correct order of steps to preserve all forensic evidence from an Amazon EC2 instance is:
  
  B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.
  
  This sequence ensures that you capture both the memory and disk state of the instance before making any changes that could alter the evidence
  
  👍 3
  IPLogic2024/12/03
- 正解だと思う選択肢: D
  Correct answer is D. Instance should not be stopped
  
  👍 2
  gkaself2024/10/16
- 正解だと思う選択肢: B
  This order ensures that the volatile memory is captured before the instance is stopped, preserving all necessary forensic evidence.
  
  👍 2
  dhewa2024/10/21
シャッフルモード

ユーザの投票

コメント(14)