One of your company’s EC2 Instances has been compromised. The company has strict policies and needs a thorough investigation on finding the culprit for the security breach. What would you do in this case? Choose 3 answers from the options given below.

Answer options:

A.Take a snapshot of the EBS volume.
B.Isolate the machine from the network.
C.Make sure that the application logs are stored securely for auditing and troubleshooting purpose.
D.Ensure all passwords of all IAM users are changed.
E.Ensure that all access keys are rotated.

Answers: A, B, and C
Option A is CORRECT because capturing a snapshot of the EBS volume can help with further investigation. If you need to shut down the initial instance, you can still launch the instance with the snapshot and do a separate investigation on the new instance.
Option B is CORRECT because the first step would be to isolate the instance so that no further security harm can occur on other AWS resources.
Option C is CORRECT because this indicates that we have already retrieved logs, and we need to make sure that they have been stored securely so that no unauthorized person can access them and manipulate them. 
Option D is incorrect because changing IAM credentials would affect all the users on the AWS account, including the ones using different services and environments (DEV/TEST/PROD).
Option E is incorrect because changing access keys would affect all the users on the AWS account, including the ones using different services and environments (DEV/TEST/PROD).
Note: 
For more information on adopting a security framework, kindly refer to the below URL:
https://d1.awsstatic.com/whitepapers/compliance/NIST_Cybersecurity_Framework_CSF.pdf