Question 3

Domain 1: Threat Detection and Incident Response

A security engineer has noticed that VPC Flow Logs are getting a lot of REJECT traffic originating from a single Amazon EC2 instance in an Auto Scaling group. The security engineer is concerned that this EC2 instance may be compromised. What immediate action should the security engineer take?

A. Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis. B. Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic. C. Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan. D. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.

Correct answer: A

Explanation

Removing the instance from the Auto Scaling group isolates the suspected compromised host so it cannot continue generating traffic or be replaced automatically. Restricting the security group to ingress from a single forensic IP address preserves access for investigation while minimizing exposure, which aligns with containment and forensic analysis best practices.

Why each option is right or wrong

A. Remove the instance from the Auto Scaling group. Close the security group with ingress only from a single forensic IP address to perform an analysis.

Under the EC2 Auto Scaling model, an instance that remains in the group can continue to be replaced or reattached by the service, so the immediate containment step is to detach/remove it from the Auto Scaling group to stop further propagation and preserve the host for investigation. Restricting the security group to allow ingress only from one forensic IP address is the standard containment control here, because security groups are stateful and can be narrowed to a single source to maintain analyst access while blocking all other inbound traffic.

B. Remove the instance from the Auto Scaling group. Change the network ACL rules to allow traffic only from a single forensic IP address to perform an analysis. Add a rule to deny all other traffic.

Network ACLs apply at subnet level, so changing them can disrupt other instances, not just the suspect host.

C. Remove the instance from the Auto Scaling group. Enable Amazon GuardDuty in that AWS account. Install the Amazon Inspector agent on the suspicious EC2 instance to perform a scan.

GuardDuty and Inspector help detect or assess issues, but they do not immediately isolate a suspected compromised instance.

D. Take a snapshot of the suspicious EC2 instance. Create a new EC2 instance from the snapshot in a closed security group with ingress only from a single forensic IP address to perform an analysis.

Snapshotting and launching a copy aids later analysis, but the original instance still needs immediate containment first.

Previous Next