In your AWS account, an EC2 instance is deployed to a new web application. You have enabled Amazon GuardDuty which is a continuous security monitoring service. There is a new security issue reported from GuardDuty saying that the EC2 instance is potentially compromised. You SSH to the instance but do not find any malware or unauthorized activities. Which actions would you take to remediate the instance?

Answer options:

A.No actions are required as the findings in GuardDuty are security suggestions and may not indicate a real issue.
B.Add the instance IP in the whitelisted IP list in GuardDuty to avoid any false alarms related to the instance.
C.Isolate the instance by modifying the security groups and ACLs.Capture memory dumps and take a snapshot. Replace the instance with a new one.
D.Add a Suppression Rule to filter the instance ID so that GuardDuty does not report findings for instance.

Correct Answer – C
If you cannot identify or stop the unauthorized activity on the potentially compromised EC2 instance, you should still terminate the instance and inspect the existing security approaches. The reference can be found in https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2.
Option A is incorrect: Because the instance may still be compromised, which can lead to serious security issues.
Option B is incorrect: GuardDuty will not report the security issues, for instance, anymore. This is not appropriate as you are unsure whether or not the instance is secure.
Option C is CORRECT: You should isolate the instance, dump the data and perform further investigation before trying to replace the instance.
Option D is incorrect: It is similar to option
B. Suppressing findings, for instance, is dangerous as it may hide a real security issue.