Question 5

Domain 1: Threat Detection and Incident Response

A Security Engineer noticed an anomaly within a company EC2 instance as shown in the image The Engineer must now investigate. What is causing the anomaly. What are the MOST effective steps to take to ensure that the instance is not further manipulated while allowing the Engineer to understand what happened?

A. Remove the instance from the Auto Scaling group Place the instance within an isolation security group, detach the EBS volume launch an EC2 instance with a forensic toolkit and attach the E8S volume to investigate. B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation. C. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance. D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

Correct answer: D

Explanation

Removing the instance from the Auto Scaling group and Elastic Load Balancer stops it from being replaced or receiving traffic, and an isolation security group blocks further access. Creating a snapshot, copying the EBS volume, and attaching that copy to a forensic EC2 instance preserves evidence while allowing investigation without altering the original instance.

Why each option is right or wrong

Detaching the original volume changes the live system state and analyzes original evidence instead of a preserved copy.

B. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, launch an EC2 instance with a forensic toolkit, and allow the forensic toolkit image to connect to the suspicious Instance to perform the Investigation.

Remote investigation on the suspicious instance can alter evidence and does not preserve disk state first.

C. Remove the instance from the Auto Scaling group Place the Instance within an isolation security group, launch an EC2 Instance with a forensic toolkit and use the forensic toolkit imago to deploy an ENI as a network span port to inspect all traffic coming from the suspicious instance.

Traffic inspection helps monitoring, but it does not capture prior disk evidence or explain past compromise.

D. Remove the instance from the Auto Scaling group and the Elastic Load Balancer Place the instance within an isolation security group, make a copy of the EBS volume from a new snapshot, launch an EC2 Instance with a forensic toolkit and attach the copy of the EBS volume to investigate.

AWS incident-response guidance for compromised EC2 workloads is to first contain the host so it cannot be replaced or continue serving traffic, then preserve evidence before any analysis. In this scenario, removing the instance from the Auto Scaling group and Elastic Load Balancer prevents automatic re-creation and traffic exposure, while placing it in an isolation security group blocks inbound/outbound access; the forensic copy should be made from an EBS snapshot and attached to a separate analysis instance so the original volume remains unmodified, consistent with the exam’s incident-response and forensic-capture expectations for EC2/EBS resources.

Previous Next