nerdexam
ExamsSCS-C02Questions#357
AmazonAmazon

SCS-C02 · Question #357

SCS-C02 Question #357: Real Exam Question with Answer & Explanation

The correct answer is D: Detach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the. When AWS notifies you of a compromised EC2 instance, the correct response follows the Contain → Eradicate incident response model. Option D (detaching the internet gateway and removing 0.0.0.0/0 rules) isolates the compromised instance from the internet, stopping ongoing maliciou

Submitted by viktor_hu· Mar 6, 2026Incident Response

Question

A company's Security Team received an email notification from the Amazon EC2 Abuse team that one or more of the company's Amazon EC2 instances may have been compromised Which combination of actions should the Security team take to respond to (be current modem? (Choose two.)

Options

  • AOpen a support case with the AWS Security team and ask them to remove the malicious code
  • BRespond to the notification and list the actions that have been taken to address the incident
  • CDelete all IAM users and resources in the account
  • DDetach the internet gateway from the VPC remove aft rules that contain 0.0.0.0V0 from the
  • EDelete the identified compromised instances and delete any associated resources that the

Explanation

When AWS notifies you of a compromised EC2 instance, the correct response follows the Contain → Eradicate incident response model. Option D (detaching the internet gateway and removing 0.0.0.0/0 rules) isolates the compromised instance from the internet, stopping ongoing malicious activity like data exfiltration or C2 communication. Option E (deleting the compromised instances and associated resources) eradicates the threat entirely, since a compromised instance should never be trusted again - rebuild from a known-good AMI instead.

Why the distractors are wrong:

  • A is wrong because under the AWS Shared Responsibility Model, AWS manages the infrastructure but you own what's running inside your EC2 instances - AWS will not remove malicious code for you.
  • B is wrong as a standalone action - responding to the notification is a compliance courtesy but does nothing to actually contain or remediate the incident.
  • C is wrong because deleting all IAM users and resources is a disproportionate, destructive overreaction that would cripple the entire account, not just address the compromised instances.

Memory tip: Remember "Isolate, then Incinerate" - cut the network path first (D), then destroy the compromised resource (E). This mirrors the classic IR phases: ContainmentEradication.

Topics

#Incident Response#EC2 Security#Network Containment#Resource Eradication

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SCS-C02 PracticeBrowse All SCS-C02 Questions