Exam AWS Certified Security - Specialty topic 1 question 218 discussion

you want to isolete the EC2 instance and not the whole subnet. So restrictions must take place at the SG level, and not the NACL level

A. By removing the suspicious EC2 instance from the Auto Scaling group, you isolate it from the production environment to prevent potential further impact or compromise. Closing the security group with ingress only from a single forensic IP address allows you to restrict access to the instance for analysis purposes. This way, you can perform a detailed investigation on the isolated instance without exposing it to potential threats.

Clearly A

Isolating the security group is considered the best practice according to AWS, most importantly making changes to the NACL would impact all the computers systems on the subnet.

A. Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis is the most appropriate immediate action for the security engineer to take. Removing the instance from the Auto Scaling group prevents any new instances from being launched. Closing the security group with ingress only from a single forensic IP address allows the security engineer to perform an analysis of the instance's traffic in a controlled and secure manner. This analysis can help determine whether the instance is compromised and identify the source of the REJECT traffic.

okay, A is justified, however, the wording let me to believe that I am changing the SG for the entire group that this compromised instance (all the instances that are part of the auto-scaling group). which is not an ideal solution.

A is the Answer. D is wrong cause taking only snapshot not prevent the compromising. You have to remove it from the ASG and isolate the instance first.

A is answer

First course of action is A

A for me as this is traffic coming from an EC2 instance and therefore SG is what is important here.

A is reasonable. Can't B because "Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic.", it will block all other traffic to your Subnet / VPC.

Its ..A..(pmjcr) Security Groups handle traffic at the instance level. Dont let the wording fool you.

For me is B. Security Groups can only block incoming traffic. Question states "VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2". The fraffic is originating FROM the EC2 instance. So we need to block the outgoing traffic to avoid more exposure. NACLs are the only option that allow That. We cna block all other traffic in/out and allow inly in from the forensic IP

"A" makes more sense than others.

A is answer

D could be also feasible answer

A is answer