AWS Certified Security – Specialty (SCS-C02) — Question 280

A company uses a collaboration application. A security engineer needs to configure automated alerts from AWS Security Hub in the us-west-2 Region for the application. The security engineer wants to receive an alert in a channel in the application every time Security Hub receives a new finding.

The security engineer creates an AWS Lambda function to convert the message to the format that the application requires. The Lambda function also sends the message to the application’s API. The security engineer configures a corresponding Amazon EventBridge rule that specifies the Lambda function as the target.

After the EventBridge rule is implemented, the channel begins to constantly receive alerts from Security Hub. Many of the alerts are Amazon Inspector alerts that do not require any action. The security engineer wants to stop the Amazon Inspector alerts.

Which solution will meet this requirement with the LEAST operational effort?

Answer options

• A. Update the Lambda function code to find pattern matches of events from Amazon Inspector and to suppress the findings.
• B. Create a Security Hub custom action that automatically sends findings from all services except Amazon Inspector to the EventBridge event bus.
• C. Modify the value of the ProductArn attribute in the event pattern of the EventBridge rule to “anything-but”: [“arn:aws:securityhub:us-west-2::product/aws/inspector”].
• D. Create an Amazon Simple Notification Service (Amazon SNS) topic to send messages to the application. Set a filter policy on the topic subscriptions to reject any messages that contain the product/aws/inspector string.

Correct answer: C

Explanation

Modifying the EventBridge rule's event pattern to use the 'anything-but' filter on the ProductArn attribute is the most efficient solution because it filters out the unwanted Amazon Inspector findings before they ever trigger the Lambda function, requiring zero code changes. Option A increases operational overhead by requiring custom code maintenance within the Lambda function. Options B and D introduce unnecessary complexity by adding custom actions or supplementary SNS topics and subscription filters.