You have an EC2 instance running on the Auto Scaling group, and the traffic is routed to the ASG from a network load balancer. You found that the instance has been compromised.
First, you need to quarantine the instance and then preserve data to perform forensic analysis to determine the root cause. What would be a suitable order for achieving the requirement Tag the Amazon EC2 instance for investigation. Use the Network Control Access List (NACL) to deny suspicious traffic from accessing the instance. Snapshot the Amazon EBS data volumes. Detach the instance from the Auto Scaling group. Which sequence is the correct one?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: C.
Option A is incorrect because tagging the instance comes in the latter part during the investigation and should not be performed during the quarantine phase.
Option B is incorrect because a snapshot of the instance would preserve the data for later investigation and forensics.
As per our asks, it should be done post the quarantine phase.
Option C is CORRECT because it satisfies the ask of quarantining the instance first using NACL to block the suspicious source traffic and detaching from the ASG to keep other instances unaffected.
Post Quarantine snapshot and tagging of instance would definitely be helpful during the forensics and investigation phase.
Option D is incorrect because tagging and snapshot would preserve the data for later investigation and forensics and should be performed post the quarantine phase.
Reference:
https://d1.awsstatic.com/whitepapers/aws_security_incident_response.pdfThe correct sequence to achieve the requirement of quarantining the instance and preserving data for forensic analysis would be:
B. 3 -> 2 -> 1 -> 4
Snapshot the Amazon EBS data volumes: Taking a snapshot of the Amazon EBS data volumes of the compromised EC2 instance would preserve the current state of the instance. This is important in case any changes are made to the instance after the compromise, as it would provide a reference point for the analysis.
Use the Network Control Access List (NACL) to deny suspicious traffic from accessing the instance: By denying suspicious traffic from accessing the instance using the Network Control Access List (NACL), we can prevent further damage to the instance and preserve evidence related to the attack.
Tag the Amazon EC2 instance for investigation: After isolating the compromised EC2 instance, it is essential to tag it for investigation. This would ensure that it is easily identifiable for further analysis.
Detach the instance from the Auto Scaling group: Detaching the instance from the Auto Scaling group would prevent the compromised instance from being replaced with a new instance before it can be analyzed.
Hence, option B. 3 -> 2 -> 1 -> 4 is the correct sequence for achieving the requirement of quarantining the instance and preserving data for forensic analysis.