AWS Certified Solutions Architect – Professional — Question 755
A company uses Amazon EC2 instances to run business-critical applications. Software that is running on the EC2 instances recently caused Amazon GuardDuty to generate the PenTest:S3/KaliLinux finding for some of the company's environments. The company wants to prevent this software from running again. The company is using AWS Organizations to manage its AWS accounts.
What should a solutions architect do to meet these requirements?
Answer options
- A. Configure Amazon Inspector to check the EC2 instances for the forbidden software and to send an Amazon Simple Notification Service (Amazon SNS) notification when the software is identified. Create an AWS Lambda function that stops the EC2 instances and notifies the company. Subscribe the Lambda function to the SNS topic.
- B. Create a centralized Amazon EventBridge (Amazon CloudWatch Events) bus to receive GuardDuty events from all accounts. Configure an EventBridge (CloudWatch Events) rule to invoke an AWS Lambda function when the GuardDuty event is generated. Configure the Lambda function to stop the EC2 instances and notify the company.
- C. Configure an SCP to prevent the software from being installed. Apply the SCP to the root OU for the organization.
- D. Create a library of approved EC2 AMIs. Create a catalog in AWS Service Catalog to deploy the AMIs for the organization. Update IAM policies to allow EC2 instances to be created only with Service Catalog AMIs.
Correct answer: B
Explanation
Option B is correct because aggregating Amazon GuardDuty findings into a centralized Amazon EventBridge event bus allows for real-time automated remediation via AWS Lambda, which can immediately stop the affected EC2 instances. Option C is incorrect because Service Control Policies (SCPs) manage AWS API permissions and cannot control OS-level software installations. Options A and D are incorrect as they do not provide a mechanism to dynamically detect and stop the specific unauthorized software once it begins running on an existing instance.