Which action should the Engineer take based on this situation?
(Choose three.)
Use AWS Artifact to capture an exact image of the state of each instance.
Create EBS Snapshots of each of the volumes attached to the compromised instances.
Capture a memory dump.
Log in to each instance with administrative credentials to restart the instance.
Revoke all network ingress and egress except for to/from a forensics workstation.
Run Auto Recovery for Amazon EC2.
Explanations:
AWS Artifact is primarily used to access compliance reports and documentation, not for capturing images or the state of EC2 instances. Therefore, it is not the appropriate tool for this situation.
Creating EBS snapshots of the volumes attached to the compromised instances is crucial for preserving the data for forensic analysis. This allows the security engineer to analyze the state of the instance and recover data without altering the original volumes.
Capturing a memory dump is an important step in incident response as it allows for analysis of the processes and data in memory, which can provide insights into the running state of the instance at the time of the incident. This is critical for understanding how the abuse occurred.
Logging into each instance to restart it can potentially lead to data loss or further compromise the investigation, especially if the instances are already under abuse. It is not advisable to interact with the compromised instances without proper forensic procedures.
Revoking all network ingress and egress except for a forensics workstation is a critical step to prevent further abuse and to secure the compromised instances. It isolates the instances for investigation while allowing forensics teams to access them without interference from external traffic.
Running Auto Recovery for Amazon EC2 is not appropriate in this context. Auto Recovery is used to recover instances that are impaired due to underlying hardware issues, not for instances that are compromised or reported for abuse. This could also lead to loss of evidence.