Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 3 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 3
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A security engineer needs to develop a process to investigate and respond to potential security events on a company's Amazon EC2 instances. All the EC2 instances are backed by Amazon Elastic Block Store (Amazon EBS). The company uses AWS Systems Manager to manage all the EC2 instances and has installed Systems Manager Agent (SSM Agent) on all the EC2 instances.
The process that the security engineer is developing must comply with AWS security best practices and must meet the following requirements:
A compromised EC2 instance's volatile memory and non-volatile memory must be preserved for forensic purposes.
A compromised EC2 instance's metadata must be updated with corresponding incident ticket information.
A compromised EC2 instance must remain online during the investigation but must be isolated to prevent the spread of malware.
Any investigative activity during the collection of volatile data must be captured as part of the process.
Which combination of steps should the security engineer take to meet these requirements with the LEAST operational overhead? (Choose three.)

  • A. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Isolate the instance by updating the instance's security groups to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
  • B. Gather any relevant metadata for the compromised EC2 instance. Enable termination protection. Move the instance to an isolation subnet that denies all source and destination traffic. Associate the instance with the subnet to restrict access. Detach the instance from any Auto Scaling groups that the instance is a member of. Deregister the instance from any Elastic Load Balancing (ELB) resources.
  • C. Use Systems Manager Run Command to invoke scripts that collect volatile data.
  • D. Establish a Linux SSH or Windows Remote Desktop Protocol (RDP) session to the compromised EC2 instance to invoke scripts that collect volatile data.
  • E. Create a snapshot of the compromised EC2 instance's EBS volume for follow-up investigations. Tag the instance with any relevant metadata and incident ticket information.
  • F. Create a Systems Manager State Manager association to generate an EBS volume snapshot of the compromised EC2 instance. Tag the instance with any relevant metadata and incident ticket information.
Show Suggested Answer Hide Answer
Suggested Answer: ACE 🗳️
by kk2000 at Oct. 7, 2023, 9:12 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
pupsik
Highly Voted 11 months, 2 weeks ago
Selected Answer: ACE
The reason it is not "B" is because you cannot move a running instance into a different subnet.
upvoted 17 times
aguilar404
6 months, 1 week ago
these are the comments that we, as people with less knowledge are looking for... thank you!
upvoted 4 times
...
...
bukkanni
Most Recent 1 month ago
B is wrong because it says "Move the instance to an isolation subnet that denies all source and destination traffic. ". Even if you somehow snapshot it and move it to a different subnet, the fact that the isolation subnet denies all source and destination traffic would mean that the NACL will allow no inbound or outbound traffic. That includes any traffic to reach the instance for forensic evaluation.
upvoted 1 times
...
FunkyFresco
1 month, 2 weeks ago
Selected Answer: ACE
ACE are correct
upvoted 1 times
...
RobWilliamsToronto
2 months, 2 weeks ago
While A is still better than B (because you cannot update a running instances network placement/subnet). Updating an instances SG can be risky. Often times an instances SG is shared with multiple instances. A better wording for A would be to "replace the instances SG with a SG that restricts access" rather than 'updating'.
upvoted 1 times
...
Raphaello
7 months, 4 weeks ago
Selected Answer: ACE
Correct answers: ACE These describe the ideal steps to isolate an instance, and collect data required for forensics investigation, all limiting the spread of malware.
upvoted 1 times
...
csG13
9 months, 1 week ago
A & C are correct. Since it’s an SSM managed node already, why not F?
upvoted 1 times
...
Sab31
9 months, 2 weeks ago
Can someone share why not F? As it automated the EBS backup process. Hence reducing the overhead.
upvoted 1 times
Daniel76
9 months, 1 week ago
F is technically feasible but SSM state manager is used for routine backup of EC2 instances. In this case the snapshot is one-off and you cannot automate the second part that is tagging with metadata and incident ticket info. So it is not appropriate.
upvoted 5 times
...
...
Daniel76
9 months, 3 weeks ago
Selected Answer: ACE
between C and D, D is a traditional method which has more overhead: need to preconfigure instance connectivity to external storage medium for writing memory And it risk altering the memory and storage artifacts in the process. Using system manager is a comparatively better way. https://d1.awsstatic.com/events/aws-reinforce-2022/TDR401_Instance-memory-acquisition-techniques-for-effective-incident-response.pdf
upvoted 2 times
...
Raphaello
9 months, 3 weeks ago
A C E It's not possible to move an existing instance to another subnet; rather, one can associate it with a restricted SG.
upvoted 1 times
...
awssecuritynewbie
10 months, 2 weeks ago
Selected Answer: ACE
A C E, for sure.
upvoted 1 times
...
lalee2
11 months, 1 week ago
Selected Answer: ACE
Gather info -> isolate -> detach ->snapshot
upvoted 1 times
...
KR693
11 months, 2 weeks ago
A, C and E
upvoted 1 times
...
0dd
12 months ago
ACE. B is incorrect because once a EC2 instance created, it could not be moved to other subnets
upvoted 3 times
...
kk2000
1 year ago
ACE makes more sense.Updating Security group(Least operational overhead) rather than moving the EC2 to different subnet which needs more steps required.
upvoted 1 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel