Certified Cloud Security Engineer (CCSE) — Question 11

TetraSoft Pvt. Ltd. is an IT company that provides software and application services to numerous customers across the globe. In 2015, the organization migrated its applications and data from on-premises to the AWS cloud environment. The cloud security team of TetraSoft Pvt. Ltd. suspected that the EC2 instance that launched the core application of the organization is compromised. Given below are randomly arranged steps involved in the forensic acquisition of an EC2 instance. In this scenario, when should the investigators ensure that a forensic instance is in the terminated state?

Answer options

• A. After attaching evidence volume to the forensic instance
• B. Before taking a snapshot of the EC2 instance
• C. After creating evidence volume from the snapshot
• D. Before attaching evidence volume to the forensic instance

Correct answer: C

Explanation

The correct answer is C because investigators must ensure that the forensic instance is in a terminated state after creating the evidence volume from the snapshot to avoid any further changes or data loss. Answer A is incorrect because attaching the evidence volume should happen after ensuring the instance is properly prepared. Answer B is wrong as a snapshot should be taken before termination. Answer D is not valid as the evidence volume should be dealt with after ensuring the instance is appropriately terminated.