ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 490 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 490
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer receives a notice from the AWS Abuse team about suspicious activity from a Linux-based Amazon EC2 instance that uses Amazon Elastic Block Store (Amazon EBS)-based storage. The instance is making connections to known malicious addresses.

The instance is in a development account within a VPC that is in the us-east-1 Region. The VPC contains an internet gateway and has a subnet in us-east-1a and us-east-1 b. Each subnet is associate with a route table that uses the internet gateway as a default route. Each subnet also uses the default network ACL. The suspicious EC2 instance runs within the us-east-1 b subnet. During an initial investigation, a security engineer discovers that the suspicious instance is the only instance that runs in the subnet.

Which response will immediately mitigate the attack and help investigate the root cause?

  • A. Log in to the suspicious instance and use the netstat command to identify remote connections. Use the IP addresses from these remote connections to create deny rules in the security group of the instance. Install diagnostic tools on the instance for investigation. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule during the investigation of the instance.
  • B. Update the outbound network ACL for the subnet in us-east-1b to explicitly deny all connections as the first rule. Replace the security group with a new security group that allows connections only from a diagnostics security group. Update the outbound network ACL for the us-east-1b subnet to remove the deny all rule. Launch a new EC2 instance that has diagnostic tools. Assign the new security group to the new EC2 instance. Use the new EC2 instance to investigate the suspicious instance.
  • C. Ensure that the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to the suspicious EC2 instance will not delete upon termination. Terminate the instance. Launch a new EC2 instance in us-east-1a that has diagnostic tools. Mount the EBS volumes from the terminated instance for investigation.
  • D. Create an AWS WAF web ACL that denies traffic to and from the suspicious instance. Attach the AWS WAF web ACL to the instance to mitigate the attack. Log in to the instance and install diagnostic tools to investigate the instance.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by cloudenthusiast at June 2, 2023, 8:08 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cloudenthusiast
Highly Voted 2 years ago
Selected Answer: B
By updating the outbound network ACL for the us-east-1b subnet to explicitly deny all connections as the first rule, any malicious outbound connections from the suspicious instance will be blocked, effectively mitigating the attack. By replacing the security group with a new security group that allows connections only from a diagnostics security group, you can restrict access to the suspicious instance. This ensures that only authorized connections from the diagnostics security group are allowed, limiting the potential for further compromise. Launching a new EC2 instance with diagnostic tools allows for a safe and isolated environment to investigate the suspicious instance. By assigning the new security group to the new EC2 instance, you maintain control over the network traffic and can carefully analyze and monitor the activities.
upvoted 6 times
...
yorkicurke
Most Recent 1 year, 5 months ago
Selected Answer: B
Option C: This could have worked but as we know tht EC2 instance in us-east-1a cannot directly mount the EBS volume from us-east-1b. EBS volumes are tied to their Availability Zone and can only be attached to instances in the same zone.
upvoted 1 times
...
Amy2009
1 year, 5 months ago
Should be C. https://tushara2517.medium.com/forensic-investigation-of-amazon-compromised-ec2-instance-aedb2c15feee
upvoted 1 times
...
Green53
1 year, 11 months ago
Selected Answer: B
Eliminate D, Web ACL can't be applied to EC2 instances. Eliminate C, shutting down an instance loses access to whatever is in memory Elimintate A, SGs do not block traffic. That leaves B. The questions makes a point of stating it's the only instance in the subnet, so I'd be looking at NACLs.
upvoted 3 times
...
Toptip
1 year, 11 months ago
Selected Answer: B
Only B makes sense! A- wrong: there is no DENY in SG C- wrong, you can't mount the same EBS to another AZ... also it's not recommended to terminate the instance without taking a snapshot D- WAF can't be associated to EC2 instance!
upvoted 3 times
...
p4v10
1 year, 12 months ago
Selected Answer: C
C makes the most sense to me! By terminating the instance, you immediately stop any potential malicious activity. By ensuring that the EBS volumes do not delete upon termination, you preserve the data for further analysis. Launching a new EC2 instance with diagnostic tools and mounting the EBS volumes from the terminated instance allows you to investigate what might have caused the suspicious activity.
upvoted 1 times
tsangckl
1 year, 11 months ago
Then u mean C is not correct..right?
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel