AWS Certified Security – Specialty — Question 377

A company has a multi-account AWS environment with AWS Organizations enabled. The company has hundreds of workloads that are deployed across multiple AWS services. The company has enabled AWS Security Hub for all accounts within the organization and has designated a delegated administrator.

The company wants to implement a centralized solution to provide near-real-time response and automatic remediation for custom security detections throughout the organization.

Which solution will meet these requirements?

Answer options

• A. Create Security Hub custom actions in the organization's delegated administrator account. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to evaluate the configuration of the resource and send noncompliant resources to Security Hub. Send the findings to an EventBridge (CloudWatch Events) event to invoke a Lambda function to remediate the custom security detection. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
• B. Create Security Hub insights for findings in the organization's delegated administrator account. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to parse the resources within the insight and send noncompliant resources to Security Hub. Send the output to invoke subsequent Lambda functions to remediate the noncompliant resources. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
• C. Create Security Hub insights for findings in the organization's delegated administrator account and member accounts. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function to parse the resources within the insight and send noncompliant resources to Security Hub. Send the output to invoke subsequent Lambda functions to remediate the noncompliant resources. Send the Lambda function results to an Amazon Simple Notification Service (Amazon SNS) topic. Update the Security Hub finding.
• D. Designate an AWS Config delegated administrator account for the organization. Create an AWS Config aggregator in this delegated administrator account and in all member accounts. Enable Security Hub integration with AWS Config. Create an AWS Config custom rule to check for noncompliant resources. Create an associated AWS Lambda function to take action on the noncompliant resources. Send the Lambda function results to a log group in Amazon CloudWatch Logs.

Correct answer: A

Explanation

Security Hub custom actions allow the creation of custom response and remediation workflows by sending selected findings to Amazon EventBridge, which then triggers a target AWS Lambda function for near-real-time remediation. Options B and C are incorrect because Security Hub insights are dashboard views for grouping findings and do not natively trigger event-driven automated remediations like custom actions do. Option D is incorrect because configuring AWS Config aggregators in all member accounts is redundant, and logging to CloudWatch Logs does not satisfy the requirement to centrally update and manage the Security Hub findings.