AWS Certified Security – Specialty (SCS-C02) — Question 242

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Choose three.)

Answer options

• A. Disable termination protection for the EC2 instance if termination protection has not been disabled.
• B. Enable termination protection for the EC2 instance if termination protection has not been enabled.
• C. Take snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
• D. Remove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.
• E. Capture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.
• F. Immediately remove any entries in the EC2 instance metadata that contain sensitive information.

Correct answer: B, C, E

Explanation

Enabling termination protection ensures that the EC2 instance cannot be accidentally terminated during the investigation. Taking snapshots of the EBS volumes preserves the data for forensic analysis, while tagging the instance as under quarantine helps in identifying it as potentially compromised. The other options either disable protection, remove valuable data, or address sensitive information inappropriately, which are not suitable preliminary actions.