One of the EC2 Instances in your company has been compromised. You have already terminated the instance. It has been found that someone opened a port in the EC2 security group that has resulted in the problem. You need to take some steps to detect configuration changes in the AWS account. Which of the following options are suitable? (Select TWO.)

Answer options:

A.Remove the IAM role applied to the EC2 Instance.
B.Turn on AWS CloudTrail in every AWS Region.
C.Configure AWS Config rules to track the Security Group changes.
D.Replace all EC2 instances with Lambda functions.

Answer – B and C
Option A is incorrect because removing the role will not help completely in such a situation.
Option D is incorrect because this may not be practical and need lots of work. Lambda functions may also have security issues if security best practices are not applied.
Turning CloudTrail on in every AWS Region will allow you to identify unusual behavior more easily, such as AWS services being provisioned from an AWS Region that your organization does not use.
With AWS Config rules, you can trace the Security Group resources and alert you whenever a security group has been changed.
For more information on security scenarios for your EC2 Instance, please refer to the below URL:
https://d1.awsstatic.com/Marketplace/scenarios/security/SEC_11_TSB_Final.pdf