Q40 — AWS SCS-C02 Ch.1
Question 40 of 100 | ← Chapter 1
A company has an application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group and are attached to Amazon Elastic Block Store (Amazon EBS) volumes. A security engineer needs to preserve all forensic evidence from one of the instances. Which order of steps should the security engineer use to meet this requirement?
- A. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Stop the instance.
- B. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Stop the instance. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB.
- C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance. ✓
- D. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB Stop the instance. Take a memory snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take an EBS volume snapshot of the instance and store the snapshot in an S3 bucket.
Correct Answer: C. Detach the instance from the Auto Scaling group. Deregister the instance from the ALB. Take an EBS volume snapshot of the instance and store the snapshot in an Amazon S3 bucket. Take a memory snapshot of the instance and store the snapshot in an S3 bucket. Stop the instance.
Explanation
这道题考察在AWS环境中处理安全取证的正确步骤顺序。AWS文档指出,在保留EC2实例的取证证据时,首要任务是捕获易失性数据(如内存快照),因为停止实例会导致内存数据丢失。选项B首先执行内存快照,并在实例停止后生成EBS快照,确保数据完整性。其他选项在停止实例后才获取内存快照(如选项D)或未及时分离负载(如选项A和C)的操作顺序不符合取证流程。