What techniques will limit lateral movement and allow evidence gathering?
Remove the instance from the load balancer and terminate it.
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
Reboot the instance and check for any Amazon CloudWatch alarms.
Stop the instance and make a snapshot of the root EBS volume.
Explanations:
Removing the instance from the load balancer and terminating it would destroy valuable evidence and hinder investigation. Evidence gathering requires preserving the instance for analysis.
Removing the instance from the load balancer and tightening the security group limits further lateral movement while still allowing access for evidence gathering. This approach isolates the instance but preserves it for analysis.
Rebooting the instance would likely wipe volatile memory, losing evidence that could be crucial. Checking CloudWatch alarms doesn’t directly help with limiting lateral movement or gathering evidence.
Stopping the instance and making a snapshot of the root EBS volume could preserve data, but stopping the instance halts any immediate response to mitigate lateral movement. The instance should remain isolated but running for analysis.
I assess that the answer is:
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.
If I’m correct, the answer is:
Remove the instance from the load balancer, and shut down access to the instance by tightening the security group.