AWS Certified Security – Specialty — Question 494
A security alert has been raised for an Amazon EC2 instance in a customer account that is exhibiting strange behavior. The Security Engineer must first isolate the
EC2 instance and then use tools for further investigation.
What should the Security Engineer use to isolate and research this event? (Choose three.)
Answer options
- A. AWS CloudTrail
- B. Amazon Athena
- C. AWS Key Management Service (AWS KMS)
- D. VPC Flow Logs
- E. AWS Firewall Manager
- F. Security groups
Correct answer: A, D, F
Explanation
Security groups are used to isolate the Amazon EC2 instance by replacing existing rules with a restrictive group that blocks all inbound and outbound traffic. Once the instance is isolated, AWS CloudTrail and VPC Flow Logs are critical tools for investigating the incident, as they provide audit trails of API activity and details of network traffic to and from the instance. Other options like AWS KMS, Amazon Athena, and AWS Firewall Manager are not primary tools used directly to isolate the instance or perform the immediate investigation of this event.