AWS Certified Security – Specialty (SCS-C02) — Question 37

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35 days ago.
A security engineer must implement a continuous monitoring solution that automatically notifies the company's security team about compromised instances through an email distribution list for high severity findings. The security engineer must implement the solution as soon as possible.
Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Answer options

• A. Enable AWS Security Hub in the AWS account.
• B. Enable Amazon GuardDuty in the AWS account.
• C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team's email distribution list to the topic.
• D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team's email distribution list to the queue.
• E. Create an Amazon EventBridge rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
• F. Create an Amazon EventBridge rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Correct answer: B, C, E

Explanation

The correct steps include enabling Amazon GuardDuty to detect threats (B), creating an Amazon SNS topic to notify the security team via email (C), and setting up an EventBridge rule to publish high-severity GuardDuty findings to that topic (E). The other options, such as AWS Security Hub and Amazon SQS, are not part of the required solution for this specific scenario.