ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 46 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 46
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company's security engineer is designing an isolation procedure for Amazon EC2 instances as part of an incident response plan. The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team. Each of the company's EC2 instances has its own dedicated security group. The EC2 instances are deployed in subnets of a VPC. A subnet can contain multiple instances.
The security engineer is testing the procedure for EC2 isolation and opens an SSH session to the target instance. The procedure starts to simulate access to the target instance by an attacker. The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22.
After these changes, the security engineer notices that the SSH connection is still active and usable. When the security engineer runs a ping command to the public IP address of the target instance, the ping command is blocked.
What should the security engineer do to isolate the target instance?

  • A. Add an inbound rule to the security group to allow traffic from 0.0.0.0/0 for all ports. Add an outbound rule to the security group to allow traffic to 0.0.0.0/0 for all ports. Then immediately delete these rules.
  • B. Remove the port 22 security group rule. Attach an instance role policy that allows AWS Systems Manager Session Manager connections so that the forensics team can access the target instance.
  • C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0.
  • D. Create an AWS Systems Manager document that adds a host-level firewall rule to block all inbound traffic and outbound traffic. Run the document on the target instance.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by M2ao at Oct. 28, 2023, 3 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AgboolaKun
Highly Voted 1 year, 5 months ago
Selected Answer: B
There is no need for SSH port 22 since Systems Manager Session Manager can give the necessary access that the security team needs to the EC2 instances.
upvoted 8 times
...
Kaps443
Most Recent 1 day, 14 hours ago
Selected Answer: B
B is correct.
upvoted 1 times
...
fcbflo
1 month, 2 weeks ago
Selected Answer: B
The scenario specifically requires isolating a single target instance while maintaining forensic team access. Using a NACL would isolate all instances in the subnet, potentially disrupting other operations. (NACLs effect is on subnet borders - SGs on ENI) Option B is more precise because: It removes direct SSH access (port 22) which eventually terminates the existing connection It provides an alternative access method (Systems Manager Session Manager) that doesn't rely on direct network access It targets only the specific instance without affecting others So while your point about stateful vs. stateless is technically accurate, in this specific scenario, the subnet-wide impact of NACLs makes option B more appropriate for the requirement to isolate only the target instance.
upvoted 1 times
...
AWSLoverLoverLoverLoverLover
1 month, 3 weeks ago
Selected Answer: C
C. Create a network ACL that is associated with the target instance's subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0. Explanation: Why is the SSH session still active? Security group changes do not affect existing connections (i.e., established TCP sessions remain open). This is why the SSH session remains active, but new inbound connections (like ping/ICMP) are blocked.
upvoted 1 times
...
FlyingHawk
2 months, 1 week ago
Selected Answer: C
Updating the security group of an EC2 instance does not affect existing connections because security groups are stateful. This means that if a connection is already established (e.g., an active SSH session), changes to the security group rules will not terminate that connection. The rules only apply to new connections. This is why the security engineer's SSH session remained active even after modifying the security group rules. However, the ping command was blocked because the security group changes applied to new traffic (ICMP traffic for ping).
upvoted 2 times
FlyingHawk
2 months, 1 week ago
A network ACL (Access Control List) can immediately affect current connections if you modify its rules while traffic is flowing, as it acts as a virtual firewall at the subnet level, meaning any changes to its allow/deny rules can instantly impact connectivity to resources within that subnet, potentially disrupting existing connections if not configured carefully.
upvoted 2 times
...
...
Wardove
2 months, 3 weeks ago
Selected Answer: C
Only this option terminates active ssh sessions for 100% isolation
upvoted 1 times
...
TareDHakim
2 months, 3 weeks ago
Selected Answer: B
C is wrong, NACL changes will impact entire subnet and all instances attached to it. to target the single instance, B makes most sense.
upvoted 2 times
...
IPLogic
4 months, 1 week ago
Selected Answer: B
Bis correct as NACL will block traffic to all instances within the subnet. At instance level right approach is option B.
upvoted 1 times
...
IPLogic
4 months, 1 week ago
Selected Answer: C
Simply put Option B. does not block s other traffic and isolate the Instance completely.
upvoted 1 times
...
IPLogic
4 months, 2 weeks ago
Selected Answer: C
C. Create a network ACL that is associated with the target instance’s subnet. Add a rule at the top of the inbound rule set to deny all traffic from 0.0.0.0/0. Add a rule at the top of the outbound rule set to deny all traffic to 0.0.0.0/0. https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/destination-containment.html
upvoted 1 times
...
mzeynalli
5 months, 1 week ago
Selected Answer: C
Guys, keep it simple. The task is "What should the security engineer do to isolate the target instance?" Adding deny rules for both inbound and outbound traffic ensures that all communications to and from the instance are blocked, effectively isolating the instance. After the completion of the REQUIRED task, the engineer will allow the forensic team to add either AWS Systems Manager Session Manager or NACL to accomplish the SECOND part of the task.
upvoted 4 times
urbanmonk
3 months, 3 weeks ago
Speaking of REQUIRED - "The security engineer needs to isolate a target instance to block any traffic to and from the target instance, except for traffic from the company's forensics team." The question seeks for a solution that will isolate the target instance but also allow access to the Forensic Team. Option C offers the isolation but does not address the required access for the company's forensic team. We are not allowed to make assumptions in these exam questions. So B is the correct answer as it isolates the target and also provides access to the forensic team using SMSM.
upvoted 2 times
...
...
jakie22332
5 months, 1 week ago
Selected Answer: C
C is correct
upvoted 2 times
...
Johnyw
6 months ago
Answer is C. The question is definitely trying to test the difference between an SG and a NACL, the System Manager Session Manager is just a distraction. The engineer just need to implement a NACL to drop the sessions. the sessions are allowed because SG's are stateful.
upvoted 2 times
...
Just_Ninja
7 months ago
Selected Answer: B
B is correct, but if you still have an active session on port 22, the connection will remain open. You can easily test this. Security Groups (SGs) are stateful, which means an existing session remains active even if the rule is removed. Launch an EC2 instance with SSH access restricted to your IP. Connect to the instance via SSH. Remove the SSH rule from the Security Group. Your active session will continue without interruption! 😊 Also, from my point of view, AWS Systems Manager (SSM) is one of the coolest tools. You can easily log session data to an S3 bucket for reviews and analytics, making it a powerful tool for auditing and security operations.
upvoted 1 times
...
jamesf
7 months, 2 weeks ago
Selected Answer: B
keywords: "The security engineer removes the existing security group rules and adds security group rules to give the forensics team access to the target instance on port 22." So just remove the Security Group SSH Port 22 and use AWS Systems Manager Session Manager
upvoted 1 times
...
FunkyFresco
7 months, 3 weeks ago
Selected Answer: B
Option b.
upvoted 1 times
...
komik_101
7 months, 4 weeks ago
C is correct for me. why? saying.. "After these changes, the security engineer notices that the SSH connection is still active and usable" if any TCP session opens, it doesn't matter you can add a new security group or remove it. you should kill 22 TCP sessions, otherwise, commination will continue. B: I will not select this option on exam. why? It seems an easy way, but no more details, if you want to give "manager session connection" you should many things, also I said, that when you remove security group , still 22 tcp port still open.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago