Which combination of steps must the security engineer take to meet these requirements?

By:
In: SCS-C01
Tagged:
With: 2 Comments
A security engineer receives an AWS abuse email message.According to the message, an Amazon EC2 instance that is running in the security engineer’s AWS account is sending phishing email messages.The EC2 instance is part of an application that is deployed in production.The application runs on many EC2 instances behind an Application Load Balancer.The instances run in an Amazon EC2 Auto Scaling group across multiple subnets and multiple Availability Zones.The instances normally communicate only over the HTTP, HTTPS, and MySQL protocols.Upon investigation, the security engineer discovers that email messages are being sent over port 587.All other traffic is normal.The security engineer must create a solution that contains the compromised EC2 instance, preserves forensic evidence for analysis, and minimizes application downtime.

Which combination of steps must the security engineer take to meet these requirements?

(Choose three.)

Add an outbound rule to the security group that is attached to the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Gather volatile memory from the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then take a snapshot of the compromised EC2 instance.

Take a snapshot of the compromised EC2 instance. Suspend the compromised EC2 instance from the Auto Scaling group. Then gather volatile memory from the compromised EC2 instance.

Move the compromised EC2 instance to an isolated subnet that has a network ACL that has no inbound rules or outbound rules.

Replace the existing security group that is attached to the compromised EC2 instance with a new security group that has no inbound rules or outbound rules.

2026-04-03

2 Comments

  1. Christian
    Author

    As far as I can tell, the answer is:
    Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

  2. Amber
    Author

    From my point of view, the answer is:
    Add an outbound rule to the network ACL for the subnet that contains the compromised EC2 instance to deny traffic to 0.0.0.0/0 and port 587.

Leave a Reply

Your email address will not be published. Required fields are marked *

seven + nine =