Exam AWS Certified Security - Specialty topic 1 question 99 discussion

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf The answers are wrong according to the whitepaper P34. Closest 3 correct answers are B, D and E.

B D E correct

BDE The right steps to isolate and seize data on a compromised instance.

D and E are part of Containment B is somewhat part of Eradication If you must keep resources for your investigation, consider backing up those resources. For example, if you must retain an Amazon EC2 instance for regulatory, compliance, or legal reasons, then create an Amazon EBS snapshot before removing the instance. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/operations.html

https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdf

bde for ans

To investigate the security incident we need to snapshot the EBS volumes. To isolate and protect the AWS Tenant, we want to use a security group. Also we need to remove compromised host from the ALB and auto scaling group.

BDF. security group rules are not aggregated, and adding a new security group will not affect the existing rules. Therefore, option E ("Attach a security group that has restrictive ingress and egress rules to the EC2 instance") is not a valid answer

BDE are correct as they cover, isolation, investigation

BDE all day

B D E correct

I see a lot of you guys going to option E but you cannot block or restrict any egress traffic with security groups so I'm not sure about this one. I see the option A better than D. So A, B, D is my answer.

Ans: DBE 100%

D,E -> for isolation B ->for investigation Answer : B,D,E

it should be B, D, E

BDE is Correct

Ans > B,D,E