This option represents the best practice for both immediate mitigation and forensic investigation. Terminating the instance immediately stops all malicious activity, including outbound connections, providing the most effective containment. By ensuring the "Delete on Termination" flag is disabled for the attached EBS volumes, the data is preserved in its last state. A new, clean EC2 instance can then be launched in a separate, isolated environment (like another subnet) to conduct a forensically sound analysis by mounting the preserved EBS volumes as secondary drives. This prevents the compromised system from being active during the investigation, which could lead to evidence tampering or further compromise.

A. Logging into a compromised instance and installing tools is poor forensic practice. It alters the system's state, potentially destroying evidence and alerting the attacker.

B. This approach is overly complex and risky. It involves re-enabling network traffic to the compromised instance, which could allow the attack to resume or the attacker to cover their tracks.

D. AWS WAF is a web application firewall that operates at Layer 7. It cannot be attached directly to an EC2 instance to block arbitrary outbound TCP/IP connections to malicious addresses.

1. AWS Security Incident Response Guide (Whitepaper), Page 13, "Containment" and Page 14, "Data acquisition": The guide states, "A common containment strategy is to isolate the affected host from the network... For EC2 instances, you can change the security group to a previously prepared forensics security group... Alternatively, you can terminate the instance." For data acquisition, it recommends, "For EBS-backed instances, you can create a snapshot of the EBS volume... You can then create a new volume from the snapshot and attach it to your forensics instance." Option C aligns perfectly with this "terminate and analyze volume" strategy.

Source: AWS Security Incident Response Guide, August 2023.

2. AWS EC2 User Guide for Linux Instances, "Instance lifecycle" and "Amazon EBS volumes": The documentation details that when an instance is terminated, it is shut down and cannot be restarted. It also explains the DeleteOnTermination attribute for EBS volumes, which, when set to false, ensures the volume is preserved after the instance is terminated. This preserved volume can then be attached to another instance.

Source: AWS Documentation, Amazon EC2 User Guide for Linux Instances, Sections: "Terminate your instance" and "Amazon EBS volume types".

3. AWS Well-Architected Framework - Security Pillar, Page 55, "SEC 10: How do you detect and investigate security events?": This framework emphasizes the need for processes to investigate security events. The best practice is to "collect evidence in a forensically sound manner." Attaching a preserved EBS volume to a clean analysis instance, as described in option C, is a forensically sound method, whereas logging into the live system (Options A, D) is not.

Source: AWS Well-Architected Framework, Security Pillar, July 2023.

4. AWS WAF Developer Guide, "What is AWS WAF?": The official documentation states, "AWS WAF is a web application firewall that helps protect your web applications or APIs... You can deploy AWS WAF on Amazon CloudFront, Application Load Balancer, Amazon API Gateway, or AWS AppSync." This confirms WAF cannot be used to block arbitrary outbound traffic from an EC2 instance as suggested in option D.

Source: AWS WAF, API Gateway, AppSync, and CloudFront Developer Guide.