AWS Certified Security – Specialty — Question 68

An organization receives an alert that indicates that an EC2 instance behind an ELB Classic Load Balancer has been compromised.
What techniques will limit lateral movement and allow evidence gathering?

Answer options

• A. Remove the instance from the load balancer and terminate it.
• B. Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
• C. Reboot the instance and check for any Amazon CloudWatch alarms.
• D. Stop the instance and make a snapshot of the root EBS volume.

Correct answer: B

Explanation

Option B is correct as it not only removes the compromised instance from the load balancer but also enhances security by tightening the security group, which helps limit lateral movement and gather evidence. Option A is too extreme as it terminates the instance rather than preserving evidence. Option C does not prevent further movement, and Option D, while useful for evidence, does not address immediate security concerns.