AWS Certified Security – Specialty (SCS-C02) — Question 42

A company purchased a subscription to a third-party cloud security scanning solution that integrates with AWS Security Hub. A security engineer needs to implement a solution that will remediate the findings from the third-party scanning solution automatically.
Which solution will meet this requirement?

Answer options

• A. Set up an Amazon EventBridge rule that reacts to new Security Hub findings. Configure an AWS Lambda function as the target for the rule to remediate the findings.
• B. Set up a custom action in Security Hub. Configure the custom action to call AWS Systems Manager Automation runbooks to remediate the findings.
• C. Set up a custom action in Security Hub. Configure an AWS Lambda function as the target for the custom action to remediate the findings.
• D. Set up AWS Config rules to use AWS Systems Manager Automation runbooks to remediate the findings.

Correct answer: A

Explanation

The correct answer is A because setting up an Amazon EventBridge rule allows for real-time response to new findings in Security Hub, with the AWS Lambda function executing the necessary remediation actions. Option B is incorrect as it relies on custom actions which may not trigger automatically. Option C also incorrectly uses a custom action without the event-driven capability. Option D is not suitable since AWS Config rules are primarily for compliance instead of direct remediation of findings.