Detect Configuration Changes in AWS Account | Exam Preparation

Detect Configuration Changes in AWS Account

Q: One of the EC2 Instances in your company has been compromised.You have already terminated the instance.It has been found that someone opened a port in the EC2 security group that has resulted in the problem.You need to take some steps to detect configuration changes in the AWS account.Which of the following options are suitable? (Select TWO.)

Turn on AWS CloudTrail in every AWS Region.Configure AWS Config rules to track the Security Group changes.

Prev Question Next Question

Question

One of the EC2 Instances in your company has been compromised.

You have already terminated the instance.

It has been found that someone opened a port in the EC2 security group that has resulted in the problem.

You need to take some steps to detect configuration changes in the AWS account.

Which of the following options are suitable? (Select TWO.)

Answers

A. Remove the IAM role applied to the EC2 Instance.

B. Turn on AWS CloudTrail in every AWS Region.

C. Configure AWS Config rules to track the Security Group changes.

D. Replace all EC2 instances with Lambda functions.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and C.

Option A is incorrect because removing the role will not help completely in such a situation.

Option D is incorrect because this may not be practical and need lots of work.

Lambda functions may also have security issues if security best practices are not applied.

Turning CloudTrail on in every AWS Region will allow you to identify unusual behavior more easily, such as AWS services being provisioned from an AWS Region that your organization does not use.

With AWS Config rules, you can trace the Security Group resources and alert you whenever a security group has been changed.

For more information on security scenarios for your EC2 Instance, please refer to the below URL:

https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_11_TSB_Final.pdf

In the scenario where an EC2 instance has been compromised and a port has been opened in the security group, the first step is to terminate the instance to prevent further damage. After this, there is a need to detect any changes in the AWS account's configuration to avoid similar incidents in the future.

Two suitable options for detecting configuration changes in the AWS account are:

Turn on AWS CloudTrail in every AWS Region: AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of the AWS account. It provides a record of AWS API calls made on an AWS account and can track configuration changes to resources such as EC2 instances and security groups. By turning on CloudTrail in every AWS Region, it is possible to capture all API activity in the account and track any changes made to the resources.
Configure AWS Config rules to track the Security Group changes: AWS Config is a service that helps evaluate the configuration of AWS resources for compliance with the desired configuration policies. With AWS Config, it is possible to set up rules to track the changes made to resources such as security groups. By configuring AWS Config rules to track security group changes, it is possible to detect any unauthorized changes to the security group that could have resulted in the compromise of the EC2 instance.

The other two options - removing the IAM role applied to the EC2 instance and replacing all EC2 instances with Lambda functions - are not relevant to the scenario and do not address the need to detect configuration changes in the AWS account. Removing the IAM role applied to the EC2 instance could impact the functionality of the instance, while replacing all EC2 instances with Lambda functions is not a feasible solution as Lambda functions serve a different purpose compared to EC2 instances.

Prev Question Next Question