AWS Certified Security – Specialty (SCS-C03) — Question 46

A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company's AWS account.
A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the isolate security group.
Which additional step will meet this requirement?

Answer options

• A. Configure GuardDuty to directly invoke the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.
• B. Configure an AWS Config rule that invokes the Lambda function if a CryptoCurroncy:EC2/* configuration change event occurs for an EC2 instance.
• C. Configure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.
• D. Configure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a CryptoCurrency:ЕС2/* configuration change event for an EC2 instance.

Correct answer: C

Explanation

The correct answer is C because Amazon EventBridge can monitor GuardDuty findings and trigger the Lambda function when a cryptocurrency finding is detected, effectively isolating the impacted instance. Option A is incorrect as GuardDuty does not directly invoke Lambda functions; it requires an intermediary like EventBridge. Option B is wrong because AWS Config rules are for tracking configuration changes, not for reacting to findings. Option D is also incorrect since it relies on AWS Config rather than GuardDuty to initiate the action.