SCS-C03 Question #114: Real Exam Question with Answer & Explanation

Question

A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company's AWS account. A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named Isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the Isolate security group. Which additional step will meet this requirement?

Options

• AConfigure GuardDuty to directly invoke the Lambda function if GuardDuty generates a
• BConfigure an AWS Config rule that invokes the Lambda function if a CryptoCurrency:EC2/*
• CConfigure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates
• DConfigure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a

Explanation

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, including CryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security - Specialty documentation, GuardDuty findings are published as events to Amazon EventBridge (formerly Amazon CloudWatch Events). Amazon EventBridge is the recommended service for building automated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

No community discussion yet for this question.