Amazon SCS-C03 Exam - Topic 2 Question 7 Discussion

Actual exam question for Amazon's SCS-C03 exam

Question #: 7
Topic #: 2

A company finds that one of its Amazon EC2 instances suddenly has a high CPU usage. The company does not know whether the EC2 instance is compromised or whether the operating system is performing background cleanup.

Which combination of steps should a security engineer take before investigating the issue? (Select THREE.)

ADisable termination protection for the EC2 instance if termination protection has not been disabled.

BEnable termination protection for the EC2 instance if termination protection has not been enabled.

CTake snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

DRemove all snapshots of the Amazon Elastic Block Store (Amazon EBS) data volumes that are attached to the EC2 instance.

ECapture the EC2 instance metadata, and then tag the EC2 instance as under quarantine.

FImmediately remove any entries in the EC2 instance metadata that contain sensitive information.

Show Suggested Answer

Suggested Answer: B, C, E

Before beginning an investigation, incident response best practice is topreserve evidence,prevent accidental loss of the asset, andclearly mark and control the potentially affected resource. Enablingtermination protection(Option B) helps ensure the instance is not accidentally terminated during triage, which would destroy volatile evidence and complicate forensics and recovery.

TakingEBS snapshotsof all attached data volumes (Option C) preserves a point-in-time copy of disk evidence for later forensic analysis, malware scanning, or offline investigation. Snapshots allow responders to create forensic volumes or AMIs in an isolated environment without repeatedly touching the potentially compromised instance.

Capturinginstance metadataand tagging the instance asunder quarantine(Option E) supports both investigation and operational control. Metadata capture (instance ID, IAM role, network interfaces, security groups, user-data, tags, recent changes) provides context for responders. Quarantine tagging enables automated workflows (for example, incident runbooks that isolate the instance, restrict IAM, or move it to a quarantine security group) and signals to other teams/tools that the instance is under investigation.

Option A is the opposite of what you want. Option D destroys evidence. Option F is not an appropriate ''before investigation'' step; altering metadata risks losing evidence and is not the primary containment approach.

by Kaycee at Mar 31, 2026, 05:26 PM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!