Question 4
Domain 1: Threat Detection and Incident ResponseAn organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised. What techniques will limit lateral movement and allow evidence gathering?
Correct answer: B
Explanation
Removing the EC2 instance from the ELB Classic Load Balancer isolates it from incoming traffic, limiting further spread to other systems. Tightening the security group shuts down access to the instance while preserving it for evidence gathering, which supports containment and forensic analysis.
Why each option is right or wrong
A. Remove the instance from the load balancer and terminate it.
Terminating destroys the instance and its volatile evidence instead of preserving it for analysis.
B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
Classic Load Balancers route traffic only to registered EC2 instances, so deregistering the compromised instance immediately stops new client connections without terminating the host, preserving volatile and disk evidence for later analysis. Tightening the attached security group then blocks inbound and outbound paths at the instance level under the EC2 security group rules model, which is the correct containment step to prevent lateral movement while keeping the machine available for forensic collection.
C. Reboot the instance and check for any Amazon CloudWatch alarms.
Rebooting does not isolate the host or preserve forensic evidence; CloudWatch alarms only monitor metrics.
D. Stop the instance and make a snapshot of the root EBS volume.
Stopping and snapshotting preserves disk data, but it does not remove live network access or contain spread.