Cryptocurrency-Related Activity Detection for AWS EC2 Instances | Security Team Guide

Detecting Cryptocurrency-Related Activity in AWS EC2 Instances

Q: A company security team would like to receive notifications if an EC2 instance in their AWS environment is querying IP addresses that are associated with cryptocurrency-related (Bitcoin) activity.What steps can the security team take to achieve this most efficiently? (SELECT TWO.)

Enable Amazon GuardDuty.Subscribe to an SNS Topic.

Prev Question Next Question

Question

A company security team would like to receive notifications if an EC2 instance in their AWS environment is querying IP addresses that are associated with cryptocurrency-related (Bitcoin) activity.What steps can the security team take to achieve this most efficiently? (SELECT TWO.)

Answers

A. Install Amazon Inspector Agent.

B. Enable Amazon GuardDuty.

C. Create a CloudWatch Log group.

D. Create a new CloudTrail.

E. Subscribe to an SNS Topic.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

Answer: B and E.

Option A is incorrect because Amazon Inspector performs network and EC2 host assessment for common security vulnerabilities such as ones defined in the CIS Security Benchmarks.

It does not help in this scenario.

Option B is CORRECT because GuardDuty can perform an assessment of network communication and produce “CryptoCurrency:EC2/BitcoinTool.B” finding when an EC2 instance is querying an IP address(es) that is associated with Bitcoin.

Option C is incorrect because a new CloudWatch Logs group is not efficient in finding the EC2 instance that is querying certain IP addresses.

Option D is incorrect because CloudTrail is used to trace the API activities and cannot check if an EC2 instance is querying certain IP addresses.

Option E is CORRECT because the SNS topic can be used to provide notifications.

Reference:

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_crypto.html#crypto4 https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_sns.html

To efficiently achieve the requirement of notifying the security team about EC2 instances querying Bitcoin-related IP addresses, the security team can take the following two steps:

Enable Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors the AWS environment for malicious activity, such as unusual API calls or unauthorized access to AWS resources. GuardDuty can automatically detect Bitcoin-related activity and generate alerts for the security team. The alerts can be sent through various notification mechanisms, including email, SNS, or AWS Chatbot.
Create a CloudWatch Log group: CloudWatch Logs is a log management and analysis service that can collect, monitor, and store logs from various AWS resources, including EC2 instances. The security team can create a CloudWatch Log group and configure the EC2 instances to send their system logs to this group. The logs can then be analyzed using CloudWatch Logs Insights to search for Bitcoin-related IP addresses. CloudWatch can also be configured to trigger SNS notifications when specific log events occur.

Therefore, the correct answers are B and C: B. Enable Amazon GuardDuty. C. Create a CloudWatch Log group.

Prev Question Next Question