Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 46 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 46
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.
The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.
After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.
What should the security engineer do to isolate the target instance?

  • A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
  • B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
  • C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
  • D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by M2ao at Oct. 28, 2023, 3 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
AgboolaKun
Highly Voted 11 months ago
Selected Answer: B
There is no need for SSH port 22 since Systems Manager Session Manager can give the necessary access that the security team needs to the EC2 instances.
upvoted 6 times
...
Just_Ninja
Most Recent 3 weeks, 2 days ago
Selected Answer: B
B is correct, but if you still have an active session on port 22, the connection will remain open. You can easily test this. Security Groups (SGs) are stateful, which means an existing session remains active even if the rule is removed. Launch an EC2 instance with SSH access restricted to your IP. Connect to the instance via SSH. Remove the SSH rule from the Security Group. Your active session will continue without interruption! 😊 Also, from my point of view, AWS Systems Manager (SSM) is one of the coolest tools. You can easily log session data to an S3 bucket for reviews and analytics, making it a powerful tool for auditing and security operations.
upvoted 1 times
...
jamesf
1 month ago
Selected Answer: B
keywords: "The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22." So just remove the Security Group SSH Port 22 and use AWS Systems Manager Session Manager
upvoted 1 times
...
FunkyFresco
1 month, 2 weeks ago
Selected Answer: B
Option b.
upvoted 1 times
...
komik_101
1 month, 2 weeks ago
C is correct for me. why? saying.. "After these changes, the security engineer notices that the SSH connection is still active and usable" if any TCP session opens, it doesn't matter you can add a new security group or remove it. you should kill 22 TCP sessions, otherwise, commination will continue. B: I will not select this option on exam. why? It seems an easy way, but no more details, if you want to give "manager session connection" you should many things, also I said, that when you remove security group , still 22 tcp port still open.
upvoted 1 times
...
Zek
4 months, 4 weeks ago
C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections On the other hand, if you have a narrower inbound rule that initially allows an SSH connection (meaning that the connection was tracked), but change that rule to no longer allow new connections from the address of the current SSH client, the existing SSH connection is not interrupted because it is tracked. Hence, a NACL would block the connection immediately
upvoted 2 times
...
icecool36
5 months ago
A - On the other hand, if you have a narrower inbound rule that initially allows an SSH connection (meaning that the connection was tracked), but change that rule to no longer allow new connections from the address of the current SSH client, the existing SSH connection is not interrupted because it is tracked.
upvoted 2 times
...
icecool36
5 months ago
Selected Answer: A
See explanation earlier
upvoted 1 times
...
icecool36
5 months ago
A - It is about connection tracking. Not B since: It states: "The security engineer removes the existing security group rules." This means also the outbound rule, therefore no 443 outbound is possible to SSM. SO no session connection is possible: The managed nodes you connect to, must allow HTTPS (port 443) outbound traffic to the following endpoints: ec2messages.region.amazonaws.com ssm.region.amazonaws.com ssmmessages.region.amazonaws.com Not C: This will block also the forensic team and all other instances in the subnet. Not D: Not related at all
upvoted 1 times
...
xflare
6 months, 2 weeks ago
Selected Answer: C
"To ensure that traffic is immediately interrupted, or that all traffic is subject to firewall rules regardless of the tracking state, you can use a network ACL for your subnet. Network ACLs are stateless and therefore do not automatically allow response traffic. Adding a network ACL that blocks traffic in either direction breaks existing connections. " https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections
upvoted 3 times
...
arvehisa
7 months ago
Selected Answer: C
The correct answer is C https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections When you change a security group rule, its tracked connections are not immediately interrupted. The security group continues to allow packets until existing connections time out. To ensure that traffic is immediately interrupted, or that all traffic is subject to firewall rules regardless of the tracking state, you can use a network ACL for your subnet.
upvoted 3 times
...
bkbaws
7 months, 1 week ago
Selected Answer: A
Adding a in and out SG rule with SSH 0.0.0.0/0 and removing it causes the established connections to be dropped https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections
upvoted 1 times
Raphaello
7 months ago
"An untracked flow of traffic is immediately interrupted if the rule that enables the flow is removed or modified." (same reference) So..by removing port 22 SG rule, the flow is immediately interrupted. No?! If so, then B is correct!
upvoted 1 times
...
...
yedaself
9 months ago
Selected Answer: A
Answer is A. It is about connection tracking. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections B is not relevant because question doesn't asks a way to connect to instance it asks why a tracked connection is not interrupted when security group rules changed.
upvoted 2 times
dodino
8 months, 4 weeks ago
but the question says "The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22." so this practice was already done for the port 22...
upvoted 1 times
...
rxhan
7 months, 2 weeks ago
Always use AWS products for the answer, why would you allow full access just to ping and remove.
upvoted 1 times
...
...
Daniel76
9 months, 1 week ago
Selected Answer: B
To isolate a specific EC2, security group is the way to go as it can affect targeted instance not the entire network. A does not make sense, as security group is stateful network control. B is using security group to isolate the EC2, and using session manager ensure exclusive access via management console.
upvoted 3 times
...
trashbox
9 months, 3 weeks ago
Exam on 2023-12-18
upvoted 1 times
...
Aamee
10 months ago
Selected Answer: B
No doubt, it's B.
upvoted 2 times
...
tatarevick
11 months, 1 week ago
Selected Answer: B
There can be multiple ec2 instances per subnet and C would block access to ALL of them. It is B
upvoted 3 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel