ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company runs a public-facing web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. Amazon GuardDuty has generated a high-severity finding that one instance is communicating with a known command-and-control server. According to the NIST incident response lifecycle, what is the MOST appropriate containment step to take immediately?
Terminate the Auto Scaling group and redeploy all instances from a hardened Amazon Machine Image (AMI).
Detach the affected instance from the Auto Scaling group and associate a security group that blocks all inbound and outbound traffic except to a designated forensic subnet.
Publish a post-incident report detailing the compromise and recommended process improvements.
Enable AWS Backup on all application Amazon EBS volumes to ensure recent recovery points are available.
During the containment phase, the goal is to limit the attacker's ability to cause additional harm while preserving evidence for later analysis and eradication. The quickest way to contain a compromised EC2 instance is to isolate it from the rest of the environment-detaching it from the load balancer and Auto Scaling group and applying a tightly restricted security group prevents further inbound or outbound communication yet keeps the instance running so memory and disk evidence remain intact. Terminating and redeploying systems is a recovery action, not containment. Generating reports or updating documentation are post-incident activities. Enabling AWS Backup improves preparation and recovery capabilities but does not immediately stop the active threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon GuardDuty?
Open an interactive chat with Bash
Why is containment important in the NIST Incident Response lifecycle?
Open an interactive chat with Bash
What is the role of a security group in AWS?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Incident Response and Recovery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .