Topic 1 Question 3

AWS Certified Security - Specialty

Topic 1 Question 3
A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances. The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements: A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes. A compromised EC2 instance's metadata must be updated with corresponding incident ticket information. A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware. Any investigative activity during the collection of volatile data must be captured as part of the process. Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead?

3 つ選択
- Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
- Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
- Use Systems Manager Run Command to invoke scripts that collect volatile data.
- Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
- Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.
- Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.
ユーザの投票
コメント(14)
- 正解だと思う選択肢: ACE
  The reason it is not "B" is because you cannot move a running instance into a different subnet.
  
  👍 21
  pupsik2023/10/26
- ACE. B is incorrect because once a EC2 instance created, it could not be moved to other subnets
  
  👍 3
  0dd2023/10/07
- 正解だと思う選択肢: ACE
  between C and D, D is a traditional method which has more overhead: need to preconfigure instance connectivity to external storage medium for writing memory And it risk altering the memory and storage artifacts in the process. Using system manager is a comparatively better way.
  
  https://d1.awsstatic.com/events/aws-reinforce-2022/TDR401_Instance-memory-acquisition-techniques-for-effective-incident-response.pdf
  
  👍 2
  Daniel762023/12/17
シャッフルモード

ユーザの投票

コメント(14)