ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 322 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 322
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer receives an AWS abuse email message. According to the message, an Amazon EC2 instance that is running in the security engineer's AWS account is sending phishing email messages.
The EC2 instance is part of an application that is deployed in production. The application runs on many EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.
The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols. Upon investigation, the security engineer discovers that email messages are being sent over port 587. All other traffic is normal.
The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime.
Which combination of steps must the security engineer take to meet these requirements? (Choose three.)

  • A. Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  • B. Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.
  • C. Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.
  • D. Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.
  • E. Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.
  • F. Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.
Show Suggested Answer Hide Answer
Suggested Answer: BCF 🗳️
by vbal at Sept. 2, 2022, 5:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MungKey
Highly Voted 2 years, 8 months ago
BCF A - Not correct - SG cannot add outbound rule to deny B - Correct - NACL to deny outbound C - Correct - Before suspending gather volatile memory, after suspending take snapshot D - Not Correct - Suspending before gathering volatile memory may clear the memory E - Can do but F is better option F - Correct - Isolate the EC2 instance
upvoted 9 times
kujin
1 year, 12 months ago
E: It's not possible to move an existing instance to another subnet, Availability Zone, or VPC. Instead, you can manually migrate the instance by creating a new Amazon Machine Image (AMI) from the source instance. https://repost.aws/knowledge-center/move-ec2-instance
upvoted 3 times
...
...
Toptip
Most Recent 1 year, 11 months ago
Selected Answer: BCF
B,C,F best combination
upvoted 1 times
...
ITGURU51
2 years ago
In the real world, we can use the security group to isolate the endpoint. This question is a little tricky because using an NACL impacts the entire subnet not just the compromised endpoint. From a cyber security perspective, the best way to isolate the host is to add the instance to a security group with no rules. BCF
upvoted 2 times
...
swolfgang
2 years, 1 month ago
ı dont understand why not bce,e is better option ı think,
upvoted 1 times
...
Artaggedon
2 years, 2 months ago
Selected Answer: BCF
In order of obvious: - C is CORRECT and D is INCORRECT. You can't dump RAM memory from a snapshot. - A is INCORRECT. No deny rules on Security Groups. Now, the tricky part. Between B, E and F, one must be wrong. Picking B, you get to protect a little bit your production environment, and between E and F, both basically do the same. But it's also true that, normally, you don't get to answer twice over the same resource in an AWS exam (in this case, NACL). And since E and F do the same thing, we should pick B and F. Therefore BCF, or at least it's what I've gathered from looking around and trying to make this. But I can see the reasoning behind CEF too. This is a complicated one with no clear answer.
upvoted 1 times
...
sakibmas
2 years, 4 months ago
Selected Answer: BCF
A - Not correct - SG cannot add outbound rule to deny D - Not Correct - Suspending before gathering volatile memory may clear the memory
upvoted 1 times
...
sapien45
2 years, 8 months ago
Selected Answer: BCF
https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/infrastructure-domain-incidents.html.
upvoted 4 times
...
vbal
2 years, 8 months ago
BCF....
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago