ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security engineer is tasked with detecting unauthorized changes to critical system binaries on a fleet of Linux-based Amazon EC2 instances that reside in private subnets behind a NAT gateway. The team also wants to limit the amount of additional network traffic that leaves each instance while still receiving near-real-time alerts. Which solution best meets these requirements?
Deploy a network-based intrusion detection system on a dedicated EC2 instance that inspects mirrored traffic from the private subnets using VPC Traffic Mirroring.
Install a host-based intrusion detection agent on each EC2 instance to monitor file integrity and local logs, forwarding only alert metadata to a central SIEM.
Enable VPC Flow Logs for the subnets and rely on Amazon GuardDuty findings to identify unauthorized file modifications.
Configure AWS WAF on the Application Load Balancer to block malicious HTTP requests that attempt to modify server files.
File integrity monitoring requires visibility into changes occurring on the instance's local file system-information that is unavailable to network-based tools that only inspect packets in transit. Installing a host-based intrusion detection agent provides direct access to local logs and files, enabling timely detection of tampering with system binaries. Because the agent can send only concise alert data to a central SIEM, it generates minimal outbound traffic.
A network IDS deployed on a separate EC2 instance (with VPC Traffic Mirroring) can observe network packets but cannot detect on-disk file changes. VPC Flow Logs analyzed by Amazon GuardDuty identify network threats such as port scanning or anomalous connections, not integrity violations on hosts. AWS WAF protects web applications by filtering HTTP/S requests at the load balancer and similarly offers no visibility into the state of individual EC2 file systems. Therefore, a host-based IDS with file integrity monitoring is the most appropriate choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is file integrity monitoring, and how does it work?
Open an interactive chat with Bash
What is a host-based intrusion detection system (HIDS), and how is it different from a network-based intrusion detection system (NIDS)?
Open an interactive chat with Bash
What is a SIEM, and how does it integrate with a host-based intrusion detection system?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .