Topic 1 Question 284
A company runs workloads that are spread across hundreds of Amazon EC2 instances. During a recent security incident, an EC2 instance was compromised and ran malware code until the company manually terminated the instance.
The company is now using Amazon GuardDuty to detect malware on EC2 instances. A security engineer needs to implement a solution that automates a response when GuardDuty determines that an instance is infected. The solution must mitigate the incident and must comply with the AWS Well-Architected Framework guidance for incident response.
Which solution will meet these requirements?
Configure AWS Systems Manager Run Command to run when a GuardDuty scan determines that an instance is infected. Use Run Command to remove all network adapters from the operating system of the infected instance. Use Run Command to also add a tag of “Infected” to the instance.
Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to delete all elastic network interfaces that are associated with the instance. Program the Lambda function to also add a tag of “Infected” to the instance.
Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to detach all Amazon Elastic Block Store (Amazon EBS) volumes from the instance. Program the Lambda function to also add a tag of “Infected” to the EBS volumes and to terminate the instance afterward.
Define a separate VPC to isolate EC2 instances. Define a security group that does not allow any network traffic. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to move the instance into the separate VPC and to assign the security group to the instance.
ユーザの投票
コメント(11)
- 正解だと思う選択肢: C
For (D) you can't move an EC2 to a different VPC.
👍 4awsleffe2024/12/18 - 正解だと思う選択肢: D
D for me
👍 3Curl80122024/12/06 - 正解だと思う選択肢: D
B: This solution uses an AWS Lambda function to respond to a GuardDuty finding by deleting the elastic network interfaces (ENIs) associated with the infected instance. While this will disconnect the instance from the network, preventing further communication, deleting ENIs could have unintended consequences, such as disrupting the instance's availability or interrupting legitimate processes. C: Detaching the EBS volumes could prevent the malware from accessing persistent storage, and terminating the instance would stop the malware from running. This is a more thorough isolation and remediation approach. Adding a tag to the EBS volumes can also help with tracking and auditing. However, simply detaching EBS volumes might not prevent the malware from spreading if the instance is not immediately terminated. A more comprehensive action is required.
👍 3youonebe2025/01/10
シャッフルモード