ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company hosts a payment-processing workload on Amazon Linux EC2 instances behind an Application Load Balancer in a VPC. To satisfy PCI DSS, security must be alerted within minutes if system binaries such as /usr/bin/ssh or critical configuration files on any instance are altered. Network architecture changes are not permitted. Which solution best meets these requirements?
Deploy a network-based IDS appliance in a dedicated subnet and mirror all application traffic to it for deep packet inspection.
Configure AWS WAF with custom rules to inspect HTTP requests and generate alerts when malicious payloads are detected.
Enable VPC Flow Logs and configure Amazon GuardDuty to detect anomalous traffic and file changes on the EC2 instances.
Install a host-based intrusion detection system agent with file-integrity monitoring on each EC2 instance and forward alerts to Amazon CloudWatch Logs.
PCI DSS requires file-integrity monitoring on critical systems. Installing a host-based intrusion detection system (HIDS) with file-integrity monitoring on each EC2 instance can hash and compare files like /usr/bin/ssh against a known-good baseline and forward alerts to Amazon CloudWatch Logs, providing near-real-time notification without altering the VPC design.
VPC Flow Logs with Amazon GuardDuty analyze network, DNS, and CloudTrail telemetry; they do not monitor on-host file changes, so they cannot meet the file-integrity requirement.
A network-based IDS that inspects traffic mirrored from ENIs can detect malicious packets but cannot observe local file writes that generate no network traffic, so it would miss silent modifications to system binaries.
AWS WAF only evaluates HTTP/S requests at the edge or load-balancer layer and has no visibility into the operating-system file system on EC2 instances.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Host-Based Intrusion Detection System (HIDS)?
Open an interactive chat with Bash
What is PCI DSS and why does it require file-integrity monitoring?