AWS Certified Security – Specialty (SCS-C02) — Question 189

A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes.

A security engineer needs to preserve all forensic evidence from one of the instances.

Which order of steps should the security engineer use to meet this requirement?

Answer options

• A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.
• B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.
• C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance.
• D. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.

Correct answer: C

Explanation

The correct sequence in option C ensures that the instance is detached and deregistered before creating any snapshots, which is critical for preserving the state of the instance. Stopping the instance before taking the EBS snapshot could lead to loss of volatile data, making options A, B, and D less effective for forensic purposes.