SCS-C03 Question #46: Real Exam Question with Answer & Explanation

Question

A company runs a web application on a fleet of Amazon EC2 instances in an Auto Scaling group. Amazon GuardDuty and AWS Security Hub are enabled. The security engineer needs an automated response to anomalous traffic that follows AWS best practices and minimizes application disruption. Which solution will meet these requirements?

Options

• AUse EventBridge to disable the instance profile access keys.
• BUse EventBridge to invoke a Lambda function that removes the affected instance from the Auto
• CUse Security Hub to update the subnet network ACL to block traffic.
• DSend GuardDuty findings to Amazon SNS for email notification.

Explanation

AWS incident response best practices emphasize isolating compromised resources rather than immediately terminating them. According to AWS Certified Security - Specialty documentation, removing an instance from an Auto Scaling group prevents replacement loops, while applying a restrictive security group isolates the instance for forensic analysis. Using Amazon EventBridge to trigger an AWS Lambda function enables automated, consistent responses to GuardDuty findings. This approach minimizes disruption to the application because healthy instances continue serving traffic while the affected instance is isolated. Disabling credentials or modifying network ACLs can have broader impact on unrelated workloads. SNS notifications alone do not provide response automation. AWS recommends isolate-and-investigate patterns for EC2 incident response.

No community discussion yet for this question.