Home › AWS Security › cloudcomputing › scsthreatresponse › An incident-response team must IMMEDIATELY isola…
An incident-response team must IMMEDIATELY isolate a suspected-compromised Amazon EC2 instance from all network traffic while preserving its state for forensics. Which is the BEST first step?
AReplace the instance's security group with a deny-all-traffic group (and keep the instance running for snapshot + memory capture)
BTerminate the instance immediately (destroying forensic evidence)
CDisable AWS CloudTrail to hide the incident
DPower-off the host hypervisor
Answer & Solution
Correct answer: A. Replace the instance's security group with a deny-all-traffic group (and keep the instance running for snapshot + memory capture)
Isolating via a deny-all SG preserves the instance for forensics (per SCS-C02 §1.3 Resource isolation). Termination destroys evidence; the others are reckless.
Related questions
Which AWS feature provides an audit-trail of every IAM principal action across the AWS accWhich AWS service enables 'continuous compliance' by recording resource config changes andAfter detecting that a long-lived IAM access key has been leaked publicly, which response Which AWS service continuously scans EC2 instances and container images for software vulneWhich AWS service lets a responder query large volumes of CloudTrail / VPC Flow / WAF logsWhich AWS service is the canonical event-routing bus that receives Security Hub / GuardDutWhich AWS service automates incident-response runbooks — e.g. 'on compromised credential fWhich AWS feature lets a responder capture an immutable EBS volume snapshot for forensic a