🔥 3-day streak
AWS Certified Security - Specialty144 / 157
Question 144 of 157

During an active incident, a security analyst confirms that a particular malicious binary was dropped on one EC2 instance by an attacker. The organization runs roughly 800 Linux EC2 instances across multiple accounts, all managed as AWS Systems Manager managed nodes. The incident commander needs to rapidly determine which other instances contain the same malicious file so the containment team can prioritize isolation. The response must run at fleet scale, avoid installing new agents, and produce results the team can query centrally. Which approach BEST meets these requirements during the containment phase?

Reviewed for accuracy · Report an issueNext question