Topic 1 Question 46

AWS Certified Security - Specialty

Topic 1 Question 46
A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances. The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22. After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked. What should the security engineer do to isolate the target instance?
- Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
- Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
- Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
- Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: B
  There is no need for SSH port 22 since Systems Manager Session Manager can give the necessary access that the security team needs to the EC2 instances.
  
  👍 8
  AgboolaKun2023/11/05
- 正解だと思う選択肢: C
  Guys, keep it simple. The task is "What should the security engineer do to isolate the target instance?"
  
  Adding deny rules for both inbound and outbound traffic ensures that all communications to and from the instance are blocked, effectively isolating the instance.
  
  After the completion of the REQUIRED task, the engineer will allow the forensic team to add either AWS Systems Manager Session Manager or NACL to accomplish the SECOND part of the task.
  
  👍 4
  mzeynalli2024/11/08
- C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections
  
  On the other hand, if you have a narrower inbound rule that initially allows an SSH connection (meaning that the connection was tracked), but change that rule to no longer allow new connections from the address of the current SSH client, the existing SSH connection is not interrupted because it is tracked.
  
  Hence, a NACL would block the connection immediately
  
  👍 3
  Zek2024/05/10
シャッフルモード

ユーザの投票

コメント(17)