AWS Certified Security – Specialty — Question 359

A company has a single AWS account and uses an Amazon EC2 instance to test application code. The company recently discovered that the instance was compromised. The instance was serving up malware. The analysis of the instance showed that the instance was compromised 35 days ago.

A security engineer must implement a continuous monitoring solution that automatically notifies the company’s security team about compromised instances through an email distribution list for high severity findings. The security engineer must implement the solution as soon as possible.

Which combination of steps should the security engineer take to meet these requirements? (Choose three.)

Answer options

• A. Enable AWS Security Hub in the AWS account.
• B. Enable Amazon GuardDuty in the AWS account.
• C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the security team’s email distribution list to the topic.
• D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the security team’s email distribution list to the queue.
• E. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for GuardDuty findings of high severity. Configure the rule to publish a message to the topic.
• F. Create an Amazon EventBridge (Amazon CloudWatch Events) rule for Security Hub findings of high severity. Configure the rule to publish a message to the queue.

Correct answer: B, C, E

Explanation

Amazon GuardDuty is the primary service for detecting compromised EC2 instances and malware activity by analyzing VPC Flow Logs and DNS logs, which makes enabling it essential. Amazon SNS is required because it natively supports sending email notifications to a distribution list, whereas Amazon SQS is a message queue and cannot send emails directly. Finally, using Amazon EventBridge to filter high-severity GuardDuty findings and route them to the SNS topic provides the automated, low-latency alerting pipeline required.