AWS Certified Security – Specialty — Question 499

An Amazon EC2 instance is part of an EC2 Auto Scaling group that is behind an Application Load Balancer (ALB). It is suspected that the EC2 instance has been compromised.
Which steps should be taken to investigate the suspected compromise? (Choose three.)

Answer options

• A. Detach the elastic network interface from the EC2 instance.
• B. Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
• C. Disable any Amazon Route 53 health checks associated with the EC2 instance.
• D. De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
• E. Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
• F. Add a rule to an AWS WAF to block access to the EC2 instance.

Correct answer: B, D, E

Explanation

To safely isolate and investigate a compromised EC2 instance, you must detach it from the Auto Scaling group to prevent automatic termination and de-register it from the ALB to stop routing public traffic to it (D). Applying a restrictive security group isolates the network traffic of the instance while maintaining a secure administrative path for forensics (E). Finally, taking Amazon Elastic Block Store snapshots preserves the state of the instance's storage for offline analysis without tampering with the active evidence (B).