AWS Certified Security – Specialty — Question 9

A Security Engineer received an AWS Abuse Notice listing EC2 instance IDs that are reportedly abusing other hosts.
Which action should the Engineer take based on this situation? (Choose three.)

Answer options

• A. Use AWS Artifact to capture an exact image of the state of each instance.
• B. Create EBS Snapshots of each of the volumes attached to the compromised instances.
• C. Capture a memory dump.
• D. Log in to each instance with administrative credentials to restart the instance.
• E. Revoke all network ingress and egress except for to/from a forensics workstation.
• F. Run Auto Recovery for Amazon EC2.

Correct answer: B, C, E

Explanation

Creating EBS Snapshots (B) ensures that data from the compromised instances is preserved for analysis. Capturing a memory dump (C) provides a snapshot of the instance's memory, which can be crucial for forensic investigation. Revoking all network access except to a forensics workstation (E) helps prevent further abuse while allowing for analysis. The other options either do not preserve evidence effectively or could exacerbate the situation.