ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 211 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 211
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer noticed an anomaly within a company EC2 instance as shown in the image. The engineer must now investigate what is causing the anomaly.

What are the MOST effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened?

  • A. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, detach the EBS volume, launch an EC2 instance with a forensic toolkit, and attach the EBS volume to investigate.
  • B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious instance to perform the investigation.
  • C. Remove the instance from the Auto Scaling group. Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and use the forensic toolkit image to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.
  • D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by DayQuil at March 17, 2021, 1:04 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 8 months ago
D. You'll want to make a copy of the EBS volume in case anything goes wrong with the original instance.
upvoted 27 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: D
D is the correct answer.
upvoted 1 times
...
Green53
2 years ago
Selected Answer: D
D. You always want a copy of the EBS volume
upvoted 1 times
...
samCarson
2 years ago
Selected Answer: D
To ensure the instance is not further manipulated, the engineer should remove it from the Auto Scaling group and the Elastic Load Balancer. The instance should be placed in an isolation security group. Then, the engineer should create a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copied EBS volume to investigate, thereby preserving the original evidence while conducting a thorough analysis.
upvoted 2 times
...
pal40sg
2 years, 1 month ago
Selected Answer: D
The most effective steps to take to ensure that the instance is not further manipulated, while allowing the engineer to understand what happened, would be option D: Remove the instance from the Auto Scaling group and the Elastic Load Balancer. Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 instance with a forensic toolkit, and attach the copy of the EBS volume to investigate. By removing the instance from the Auto Scaling group and the Elastic Load Balancer, you isolate the compromised instance from any further interactions with the environment, reducing the risk of further manipulation or potential impact on other resources.
upvoted 2 times
...
jawiem
2 years, 2 months ago
Selected Answer: D
D. You want to make a copy of the EBS
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The EBS snapshot needs to be done to preserve the chain of evidence. The question implies that we will be performing a memory dump from the forensic tool kit. Therefore D would be the best answer.
upvoted 1 times
...
Cyp
2 years, 3 months ago
Selected Answer: B
I would say B as, memory investigation is more critical than disk investigation. Plus, with option B you can do both memory and disk investigation.
upvoted 1 times
...
awsguru1998
2 years, 4 months ago
B, as the issue is with instance and not EBS (its not shown in anomaly). Also with D you are not doing any forensic on the compromised instance - only on EBS
upvoted 3 times
...
AzureDP900
2 years, 4 months ago
D is right as per documentation.
upvoted 1 times
...
Balki
2 years, 11 months ago
Selected Answer: D
Answer is D. Below blog talks about it. Look at page 4 https://pages.awscloud.com/rs/112-TZM-766/images/How%20to%20Perform%20Investigations_SANS_AWS%20Marketplace_whitepaper.pdf
upvoted 1 times
...
trongod05
3 years ago
D. In computer forensics there's a concept of a forensic copy. The snapshot of the EBS volume is the forensic copy. When a forensic analyst makes a copy so the original evidence is preserved and can work with the copy instead.
upvoted 1 times
sapien45
2 years, 11 months ago
Makes sense. But then why not making a snapshot of the EC2 instance itself
upvoted 1 times
Dmosh
2 years, 2 months ago
What's relevant is the EBS.
upvoted 1 times
...
...
...
Radhaghosh
3 years, 5 months ago
D is the Option (Very Close B & D) --> but EBS Snapshot is the key
upvoted 1 times
...
kiev
3 years, 8 months ago
D for me
upvoted 3 times
...
khchan123
3 years, 8 months ago
I think it should be B. You'll need the running instance to investigate what's go wrong.
upvoted 2 times
...
refuz
3 years, 8 months ago
D, easy
upvoted 3 times
...
cldy
3 years, 8 months ago
D. EBS snapshot is important here
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel