ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your SOC detects abnormal outbound connections from a Linux EC2 instance in a production VPC and suspects it is part of a botnet. The team must immediately isolate the workload to stop lateral movement, but analysts still need SSH access from a dedicated incident-response subnet to collect volatile evidence. Which action is the most effective way to meet these goals while leaving other instances in the subnet unaffected?
Change the subnet's route table to point 0.0.0.0/0 at the black-hole target to drop all external traffic.
Stop the instance, create an AMI, and relaunch it in an isolated VPC for analysis.
Add DENY rules to the subnet's network ACL to block all outbound ports for the instance's private IP.
Run the Systems Manager automation document AWSSupport-QuarantineEC2Instance to replace the instance's security groups with a quarantine group that only permits SSH from the incident-response subnet.
Running the AWS Systems Manager automation document AWSSupport-QuarantineEC2Instance automatically detaches all existing security groups from the target instance and attaches a quarantine security group that allows only the CIDR blocks you specify (for example, the incident-response subnet) and blocks all other ingress and egress traffic. Because the change is applied at the ENI level, no other instances in the subnet are impacted, and the instance remains powered on for live forensics. Stopping the instance or creating an AMI shuts down volatile memory, defeating live analysis. Network ACL or route-table changes would also affect every resource that shares the subnet, introducing unnecessary disruption and potential outages.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an AWS Systems Manager automation document (SSM document)?
Open an interactive chat with Bash
How does security group quarantine work in AWS?
Open an interactive chat with Bash
Why is live analysis critical for incident response?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .