Certified Cloud Security Engineer (CCSE) — Question 4

A security incident has occurred within an organization’s AWS environment. A cloud forensic investigation procedure is initiated for the acquisition of forensic evidence from the compromised EC2 instances. However, it is essential to abide by the data privacy laws while provisioning any forensic instance and sending it for analysis. What can the organization do initially to avoid the legal implications of moving data between two AWS regions for analysis?

Answer options

• A. Create evidence volume from the snapshot
• B. Provision and launch a forensic workstation
• C. Attach the evidence volume to the forensic workstation
• D. Mount the evidence volume on the forensic workstation

Correct answer: A

Explanation

The correct answer is A because creating an evidence volume from a snapshot allows the organization to work with a copy of the data without transferring sensitive information across regions, thus minimizing legal risks. The other options involve actions that either require data transfer or are subsequent steps that do not address the initial legal concerns.