Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 284 discussion

D - really? You can't move the EC2 instance on the new VPC, it seem good for isolation but cannnot So C. is correct.

To follow AWS Well-Architected Framework incident response best practices, the infected EC2 instance must be isolated to prevent further damage.

Based on this doc, none of the above options is good, for a compromise ec2, we first need to isolate it with the security group and network ACL and turn on the termination protection, gather all metadata, then detach its EBS volume, tag it, then terminate it. I will select C.

D is the only answer that is in compliance with AWS Well-Architected Framework: Incident Response Best Practices: The framework emphasizes automating incident response and isolating affected resources. Forensics Support: By isolating the instance instead of deleting or terminating it, the company retains the ability to perform forensic analysis and determine the root cause of the incident. Least Privilege Principle: The use of a specific security group for isolation limits unnecessary exposure.

cannot be D, as you can't move an instance to a different subnet, let alone a different vpc.

B: This solution uses an AWS Lambda function to respond to a GuardDuty finding by deleting the elastic network interfaces (ENIs) associated with the infected instance. While this will disconnect the instance from the network, preventing further communication, deleting ENIs could have unintended consequences, such as disrupting the instance's availability or interrupting legitimate processes. C: Detaching the EBS volumes could prevent the malware from accessing persistent storage, and terminating the instance would stop the malware from running. This is a more thorough isolation and remediation approach. Adding a tag to the EBS volumes can also help with tracking and auditing. However, simply detaching EBS volumes might not prevent the malware from spreading if the instance is not immediately terminated. A more comprehensive action is required.

Not D, EC2 instances CANNOT be moved to a differrent subnet/VPC.

Effectively mitigates the incident while allowing forensic investigation

This approach isolates the compromised instance, preventing it from communicating with other instances and the internet, which helps contain the incident. It also aligns with best practices for incident response by ensuring that the infected instance is quarantined effectively.

For (D) you can't move an EC2 to a different VPC.

D for me

can not be B and D