SCS-C03 Question #142: Real Exam Question with Answer & Explanation

Question

A company runs a web application on a fleet of Amazon EC2 instances that are in an Auto Scaling group. The EC2 instances are in the same VPC subnet as other workloads. A security engineer deploys an Amazon GuardDuty detector in the same AWS Region as the EC2 instances and integrates GuardDuty with AWS Security Hub. The security engineer needs to implement an automated solution to detect and appropriately respond to anomalous traffic patterns for the web application. The solution must comply with AWS best practices for initial response to security incidents and must minimize disruption to the web application. Which solution will meet these requirements?

Options

• ADisable the EC2 instance profile credentials by using AWS Lambda.
• BCreate an Amazon EventBridge rule that invokes an AWS Lambda function when GuardDuty
• CUpdate the subnet network ACL to block traffic from the detected source IP addresses.
• DSend GuardDuty findings to Amazon SNS for email notification.

Explanation

AWS incident response best practices emphasize rapid containment with minimal blast radius. According to the AWS Certified Security - Specialty Official Study Guide, isolating a compromised resource while allowing the application to continue running is the preferred initial response. By using Amazon EventBridge to detect GuardDuty findings related to anomalous traffic and invoking a Lambda function, the security engineer can automatically remove the affected EC2 instance from the Auto Scaling group and attach a restricted security group. This immediately isolates the instance while allowing Auto Scaling to launch a replacement instance, ensuring application availability.

No community discussion yet for this question.