ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
During an overnight shift you receive an Amazon GuardDuty finding that a production Amazon EC2 instance is repeatedly contacting a known command-and-control domain. As the on-call first responder, you must preserve evidence while stopping further attacker communication without powering off the instance. Which immediate action best satisfies these requirements?
Terminate the compromised instance and launch a replacement from a known-good Amazon Machine Image (AMI).
Stop the EC2 instance to halt the malicious processes and freeze its state.
Immediately patch the operating system and rotate all IAM credentials used by the instance.
Attach a security group that contains no inbound or outbound rules, completely isolating the instance from the network while it stays powered on.
A security group functions as a stateful virtual firewall; with no inbound or outbound rules it blocks all traffic by default. Attaching such a deny-all security group immediately severs the instance's network connectivity while it keeps running, so its memory and disks remain intact for later forensic collection. Stopping the instance flushes RAM and alters disks, destroying volatile evidence. Patching software or rotating credentials changes system state and can overwrite artifacts before they are captured. Terminating and rebuilding the instance eradicates any remaining evidence entirely. Therefore, network isolation via a restrictive security group (or an equivalent deny-all network ACL) is the correct first step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon GuardDuty?
Open an interactive chat with Bash
What are command-and-control (C2) domains?
Open an interactive chat with Bash
How does a security group with no rules isolate an instance?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .