ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 284 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 284
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company runs workloads that are spread across hundreds of Amazon EC2 instances. During a recent security incident, an EC2 instance was compromised and ran malware code until the company manually terminated the instance.

The company is now using Amazon GuardDuty to detect malware on EC2 instances. A security engineer needs to implement a solution that automates a response when GuardDuty determines that an instance is infected. The solution must mitigate the incident and must comply with the AWS Well-Architected Framework guidance for incident response.

Which solution will meet these requirements?

  • A. Configure AWS Systems Manager Run Command to run when a GuardDuty scan determines that an instance is infected. Use Run Command to remove all network adapters from the operating system of the infected instance. Use Run Command to also add a tag of “Infected” to the instance.
  • B. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to delete all elastic network interfaces that are associated with the instance. Program the Lambda function to also add a tag of “Infected” to the instance.
  • C. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to detach all Amazon Elastic Block Store (Amazon EBS) volumes from the instance. Program the Lambda function to also add a tag of “Infected” to the EBS volumes and to terminate the instance afterward.
  • D. Define a separate VPC to isolate EC2 instances. Define a security group that does not allow any network traffic. Create an AWS Lambda function that runs when a GuardDuty scan determines that an instance is infected. Program the Lambda function to move the instance into the separate VPC and to assign the security group to the instance.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by jdx000 at Nov. 27, 2024, 4:59 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
awsleffe
Highly Voted 5 months, 4 weeks ago
Selected Answer: C
For (D) you can't move an EC2 to a different VPC.
upvoted 5 times
...
phmeeeee
Most Recent 2 months ago
Selected Answer: C
D - really? You can't move the EC2 instance on the new VPC, it seem good for isolation but cannnot So C. is correct.
upvoted 3 times
...
zhen234
3 months, 2 weeks ago
Selected Answer: D
To follow AWS Well-Architected Framework incident response best practices, the infected EC2 instance must be isolated to prevent further damage.
upvoted 1 times
...
FlyingHawk
4 months, 1 week ago
Selected Answer: C
Based on this doc, none of the above options is good, for a compromise ec2, we first need to isolate it with the security group and network ACL and turn on the termination protection, gather all metadata, then detach its EBS volume, tag it, then terminate it. I will select C.
upvoted 3 times
...
WhoSec
4 months, 2 weeks ago
Selected Answer: D
D is the only answer that is in compliance with AWS Well-Architected Framework: Incident Response Best Practices: The framework emphasizes automating incident response and isolating affected resources. Forensics Support: By isolating the instance instead of deleting or terminating it, the company retains the ability to perform forensic analysis and determine the root cause of the incident. Least Privilege Principle: The use of a specific security group for isolation limits unnecessary exposure.
upvoted 1 times
...
TareDHakim
4 months, 3 weeks ago
Selected Answer: C
cannot be D, as you can't move an instance to a different subnet, let alone a different vpc.
upvoted 4 times
...
youonebe
5 months ago
Selected Answer: D
B: This solution uses an AWS Lambda function to respond to a GuardDuty finding by deleting the elastic network interfaces (ENIs) associated with the infected instance. While this will disconnect the instance from the network, preventing further communication, deleting ENIs could have unintended consequences, such as disrupting the instance's availability or interrupting legitimate processes. C: Detaching the EBS volumes could prevent the malware from accessing persistent storage, and terminating the instance would stop the malware from running. This is a more thorough isolation and remediation approach. Adding a tag to the EBS volumes can also help with tracking and auditing. However, simply detaching EBS volumes might not prevent the malware from spreading if the instance is not immediately terminated. A more comprehensive action is required.
upvoted 3 times
FlyingHawk
4 months, 1 week ago
Is D practical? can you move it to another vpc after launching it?
upvoted 1 times
...
...
urbanmonk
5 months, 1 week ago
Selected Answer: C
Not D, EC2 instances CANNOT be moved to a differrent subnet/VPC.
upvoted 3 times
...
8acf42c
5 months, 2 weeks ago
Selected Answer: D
Effectively mitigates the incident while allowing forensic investigation
upvoted 1 times
...
Pmktechno
5 months, 2 weeks ago
Selected Answer: D
This approach isolates the compromised instance, preventing it from communicating with other instances and the internet, which helps contain the incident. It also aligns with best practices for incident response by ensuring that the infected instance is quarantined effectively.
upvoted 1 times
...
Curl8012
6 months, 1 week ago
Selected Answer: D
D for me
upvoted 3 times
...
jdx000
6 months, 2 weeks ago
Selected Answer: C
can not be B and D
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel