An AWS user notices unusual activity in their EC2 instances, including unexpected outbound traffic. When suspecting a security compromise, what is the most effective immediate step to take to contain the incident?
A.
Increase logging levels and monitor traffic for anomalies.
B.
Terminate all affected EC2 instances.
C.
Reboot the affected instances to disrupt unauthorized processes.
D.
Snapshot the affected instances for forensic analysis and then isolate them using network ACLs.
This scenario reflects a suspected cloud workload compromise. The ECIH Cloud Incident Handling module stresses that responders must balance containment, evidence preservation, and service continuity.
Option D is correct because creating snapshots preserves forensic evidence while isolating instances using network ACLs or security groups immediately halts malicious communication. This approach aligns with ECIH guidance to preserve evidence before destructive actions while still containing the threat.
Option B destroys evidence and hinders investigation. Option C alters system state and may trigger attacker countermeasures. Option A delays containment.
ECIH explicitly warns against terminating or rebooting compromised cloud assets before evidence capture. Snapshot-and-isolate is therefore the most effective immediate containment step.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit