Which steps should be taken to investigate the suspected compromise?
(Choose three.)
Detach the elastic network interface from the EC2 instance.
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.
Disable any Amazon Route 53 health checks associated with the EC2 instance.
De-register the EC2 instance from the ALB and detach it from the Auto Scaling group.
Attach a security group that has restrictive ingress and egress rules to the EC2 instance.
Add a rule to an AWS WAF to block access to the EC2 instance.
Explanations:
Detaching the elastic network interface may disrupt network connectivity and monitoring, making it harder to investigate the instance. It’s better to keep it connected to gather logs and other information.
Taking a snapshot of the EBS volumes allows for data preservation and analysis without altering the current state of the instance. This is crucial for forensic investigation.
Disabling Route 53 health checks might lead to the instance being treated as unhealthy and removed from service. It’s important to maintain health checks to understand the impact on traffic and logs.
De-registering the instance from the ALB and detaching it from the Auto Scaling group prevents further traffic to the instance, allowing for investigation without affecting other instances.
Applying a restrictive security group can help contain potential threats and limit any malicious activity while the investigation is ongoing, providing a safer environment for analysis.
Adding a WAF rule to block access to the instance may not be effective if the instance is already compromised. Instead, focusing on isolating the instance directly is a more efficient response.
I calculate that the answer is:
Initiate an Amazon Elastic Block Store volume snapshot of all volumes on the EC2 instance.