ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 174 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 174
Topic #: 1
[All AWS Certified Security - Specialty Questions]

After multiple compromises of its Amazon EC2 instances, a company's Security Officer is mandating that memory dumps of compromised instances be captured for further analysis. A Security Engineer just received an EC2 abuse notification report from AWS stating that an EC2 instance running the most recent Windows
Server 2019 Base AMI is compromised.
How should the Security Engineer collect a memory dump of the EC2 instance for forensic analysis?

  • A. Give consent to the AWS Security team to dump the memory core on the compromised instance and provide it to AWS Support for analysis.
  • B. Review memory dump data that the AWS Systems Manager Agent sent to Amazon CloudWatch Logs.
  • C. Download and run the EC2Rescue for Windows Server utility from AWS.
  • D. Reboot the EC2 Windows Server, enter safe mode, and select memory dump.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by Kitty0403 at Aug. 30, 2020, 3:56 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sanc
Highly Voted 3 years, 8 months ago
My take is C https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 23 times
...
DerekKey
Highly Voted 3 years, 7 months ago
C - https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 6 times
...
addy_prepare
Most Recent 1 year, 9 months ago
Selected Answer: C
C - for sure. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 1 times
...
ITGURU51
2 years, 1 month ago
The AWS best practice is to collect the forensic data from the host while it is still online. EC2Rescue for Windows Server enables the memory to be dumped while the instance is still running. Therefore, the answer is C. Also, the compromised host should have been isolated by a security group.
upvoted 3 times
...
jishrajesh
2 years, 5 months ago
Selected C
upvoted 1 times
...
dcasabona
2 years, 10 months ago
Selected Answer: C
EC2Rescue for Windows Server according to this https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 1 times
...
Sarksa
2 years, 10 months ago
Selected Answer: C
C is the answer as the exam expects the EC2Rescue knowledge.
upvoted 1 times
...
sapien45
2 years, 10 months ago
Selected Answer: C
EC2Rescue for Windows Server can collect the following data from active and offline instances memory-dump 'Memory Dump File' 'Mini Dump Files' Collects any memory dump files that exist on the instance.
upvoted 1 times
...
salamshayk
3 years ago
Selected Answer: C
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 1 times
...
Ayusef
3 years, 7 months ago
This one is trick but its C... You can enable memory metric with SSM in B but this questions ask for a feature that is particular to EC2 rescue.
upvoted 3 times
...
kely
3 years, 7 months ago
B: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/Windows-Server-EC2Rescue.html
upvoted 2 times
viestner
3 years, 7 months ago
According to the link will be C, EC2 rescue
upvoted 3 times
...
...
sunilrch
3 years, 7 months ago
C is perfect
upvoted 2 times
...
amatol15
3 years, 7 months ago
C - https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 2 times
...
examtaker12
3 years, 7 months ago
The answer is C: - When it comes to taking Memory dump on Windows -> EC2Rescue for Windows Server - In B, only reviewing is mentioned. Since this is not a default behavior or SSM Agent, I think that it's wrong
upvoted 1 times
...
stt
3 years, 7 months ago
B: One method to invoke the SSM Agent is to target the Run Command through Amazon CloudWatch Events when the instance is tagged with a specific tag. For example, if you apply the Response=Isolate+MemoryCapture tag to an affected instance, you can configure Amazon CloudWatch Events to trigger Whitepapers, AWS. AWS Security Incident Response Guide (p. 55).
upvoted 1 times
...
farziuser
3 years, 8 months ago
I think it should be C Looking at Collect action -> memory-dump 'Memory Dump File' 'Mini Dump Files' Collects any memory dump files that exist on the instance. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 2 times
...
Mr_Zaw
3 years, 8 months ago
Answer is C. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2rw-cli.html
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel