SCS-C03 Question #29: Real Exam Question with Answer & Explanation

Question

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised and was serving malware. Analysis showed that the instance was compromised 35 days ago. A security engineer must implement a continuous monitoring solution that automatically notifies the security team by email for high severity findings as soon as possible. Which combination of steps should the security engineer take to meet these requirements? (Select THREE.)

Options

• AEnable AWS Security Hub in the AWS account.
• BEnable Amazon GuardDuty in the AWS account.
• CCreate an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security
• DCreate an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's
• ECreate an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to
• FCreate an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule

Explanation

Amazon GuardDuty provides continuous threat detection for compromised instances by analyzing VPC Flow Logs, DNS logs, and CloudTrail events. According to AWS Certified Security - Specialty guidance, GuardDuty is the fastest service to enable for detecting malware and compromised EC2 instances. To notify the security team, Amazon SNS provides a native email notification mechanism with minimal setup. Amazon EventBridge integrates directly with GuardDuty findings and can filter based on severity. Creating an EventBridge rule that matches high severity GuardDuty findings and publishes to SNS ensures immediate notification. Security Hub is not required for this use case and adds additional setup time. Amazon SQS does not support email subscriptions.

No community discussion yet for this question.