One of your company’s EC2 Instances have been compromised. The company has strict po thorough investigation on finding the culprit for the security breach.
What would you do in from the options given below?
A . Take a snapshot of the EBS volume
B . Isolate the machine from the network
C . Make sure that logs are stored securely for auditing and troubleshooting purpose
D . Ensure all passwords for all IAM users are changed
E . Ensure that all access kevs are rotated.
Answer: A,B,C
Explanation:
Some of the important aspects in such a situation are
1) First isolate the instance so that no further security harm can occur on other AWS resources
2) Take a snapshot of the EBS volume for further investigation. This is incase if you need to shutdown the initial instance and do a separate investigation on the data
3) Next is Option
C. This indicates that we have already got logs and we need to make
sure that it is stored securely so that n unauthorised person can access it and manipulate it.
Option D and E are invalid because they could have adverse effects for the other IAM users.
For more information on adopting a security framework, please refer to below URL https://d1 .awsstatic.com/whitepapers/compliance/NIST Cybersecurity Framework Note:
In the question we have been asked to take actions to find the culprit and to help the investigation or to further reduce the damage that has happened due to the security breach. So by keeping logs secure is one way of helping the investigation.
The correct answers are: Take a snapshot of the EBS volume. Isolate the machine from the network. Make sure that logs are stored securely for auditing and troubleshooting
purpose
Submit your Feedback/Queries to our Experts