Exam AWS Certified Security - Specialty topic 1 question 97 discussion

I think B is the best answer. Page 34 https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf No mention of stopping the EC2 instance. Just isolation so information can be gathered. It is possible to do snapshot while the instance is running.

Agree. Answer is B. Shutting down the instance will change the state of it and more probable destroy transient evidence. The snapshot must be done while the instance is on.

Ans is D, since B cannot interrupt the connection and doesn't mention how to gather evidence https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html

Removing the compromised instance from the load balancer prevents further traffic from reaching it. Adjusting the security group to shut down access helps to limit potential lateral movement, preventing the attacker from reaching other resources in your network. It also allows time for a detailed investigation to take place without the risk of ongoing malicious activity. Please note, creating a snapshot of the EBS volume (option D) can be a part of an incident response process for deeper forensic analysis. However, the question specifically asked about techniques to "limit lateral movement and allow evidence gathering" without implying a detailed forensic analysis, thus making option B more suitable.

The questions specially states that we need to perform a cyber threat investigation. However once the endpoint is turned off or restarted the opportunity for forensic analysis will be taken away. B limits the lateral movement and still allows the security engineer to investigate the situation.

ANS: B

The approach is to isolate the ec2 instance and restrict the security group for the forensic analysis so B is the answer

My anwser is D. It states to limit lateral movement so security groups will do nothing as they will not block any outbound traffic. I know memory dump is always best to gather all data for inspection, but the requirement is clear. "limit lateral movement" so we keep to the requirement while still be able to investigate the snapshot of the EBS.

Ans: B 100%

B is correct Here. Question ask 2 requirements. Stop Bilateral movement and Evidence gathering. A shutdown system wont help much in evidence/forensic investigations.

limit lateral movement "B" is the answer

B is more appropriate.............D (if you shut down, content of memory or swap file) will be gone, which hold important info.

C is correct, not sure anyone has faced a security incident before. i work regularly with security team....you NEVER reboot / Shutdown the instance in question while evidence gathering like collecting logs etc. as that affects evidence gathering you remove it from LB and disable all services so it is not in production.

B is Correct

it's D - lateral movement means potential risk to the rest of the environment. Offline investigation (where instance is shut down) means that it can no longer affect the rest of the environment. Snapshot of EBS volume can be used to create new volumes that can be mounted onto a forensic EC2 instance for deep analysis offline.

It has to be C. D limits what can be done to investigate. C, is on point.

Ans > B