ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your Linux workloads run on older EC2 instances that use the Xen hypervisor. AWS has just disclosed a vulnerability that lets a malicious guest read host memory, enabling a VM-escape across tenants. As the security engineer, which immediate action provides the strongest protection against this risk while minimizing downtime?
Move the instances into a separate VPC subnet protected by restrictive network ACL rules that block all inter-subnet traffic.
Install host-based intrusion detection agents on each guest to monitor for anomalous kernel-level behavior.
Schedule weekly Amazon Inspector scans on the instances to identify and patch operating system vulnerabilities.
Re-launch the instances on Nitro-based EC2 instance families (for example, M6i or C6g) that use a minimized, hardware-enforced hypervisor for stronger tenant isolation.
Migrating the workloads to instance families that run on the AWS Nitro System places each EC2 instance in a dedicated hardware-isolated environment enforced by the Nitro hypervisor. Nitro's minimized, hardware-assisted design dramatically reduces the attack surface and prevents guests from gaining access to the underlying host or other tenants, making it the most effective countermeasure against VM escape risks. The other options improve security posture in different areas but do not address the underlying hypervisor escape vector: host-based IDS detects activity only after compromise, network ACLs do not mitigate in-host memory exposure, and vulnerability scanning does not itself prevent exploitation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VM escape in the context of hypervisors?
Open an interactive chat with Bash
How does the AWS Nitro System enhance hypervisor security?
Open an interactive chat with Bash
Why is using network ACLs or host-based IDS insufficient for mitigating VM escape risks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .