SCS-C02 Exam QuestionsBrowse all questions from this exam
Go to Exam

SCS-C02 Exam - Question 14

A company uses AWS Organizations and has production workloads across multiple AWS accounts. A security engineer needs to design a solution that will proactively monitor for suspicious behavior across all the accounts that contain production workloads.

The solution must automate remediation of incidents across the production accounts. The solution also must publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a critical security finding is detected. In addition, the solution must send all security incident logs to a dedicated account.

Which solution will meet these requirements?

Show Answer
Correct Answer: C

To meet the requirements, the solution needs to detect suspicious behavior, automate remediation, notify via SNS, and centralize logs in a dedicated account. Amazon GuardDuty is suitable for detecting malicious activities, and to automate remediation and notifications, Amazon EventBridge can trigger a custom AWS Lambda function. Lambda enables flexibility in defining automated remediation steps and publishing notifications to SNS. Therefore, activating GuardDuty, centralizing its logs, and using EventBridge and Lambda to handle remediation and notifications fulfills all specified criteria.

Discussion

12 comments
Sign in to comment
Daniel76Option: C
Nov 18, 2023

Security Hub by itself does not detect suspicious activity, but GuardDuty. Eventbridge rule is required to trigger remediation actions and SNS topic.

100foldOption: C
Oct 19, 2023

Answer C https://www.youtube.com/watch?v=RGNMkhaT_GY

bhui
Oct 27, 2023

I would say it is C as Guardduty must be turned on even for the security hub options. Also you can aggregate GuardDuty Findings and trigger Events. https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/ https://repost.aws/knowledge-center/guardduty-eventbridge-sns-rule

[Removed]Option: C
Oct 31, 2023

SecurityHub checks posture. GuardDuty monitors for malicious activity.

Sumi81
Oct 23, 2023

Answer is C

KR693
Oct 24, 2023

Option C

pupsikOption: C
Oct 26, 2023

Agree, it is C

lalee2Option: C
Oct 29, 2023

Option C responds to all requirements; automate remediation, notification via SNS, send logs to a dedicated account

[Removed]
Oct 31, 2023

It's C. SecurityHub checks posture. GuardDuty monitors for malicious activity.

Raphaello
Dec 13, 2023

Best answer is C One would not need SecurityHub to launch a response to GuardDuty finding. SecurityHub is security posture management tool, but without it GuardDuty can still responds to findings. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

hro
Mar 21, 2024

B C never addresses Remediation and why would you Configure the Lambda function to also publish notifications to the SNS topic when Security Hub works with AWS Config and AWS Systems Manager and push notificiations? The answer is B

Josh1217
Mar 24, 2024

GuardDuty can't directly invoke Lambda. Option C addresses remediation. Read the option properly.

Almo89Option: D
Jul 4, 2024

Difficult one, D could also be correct. Securityhub can trigger remediation and sns from different sources (cloudwatch, guardduty) Securityhub depends of guardduty. But guardduty depends of cloudwatch as well. Securityhub has a predefined remediation based on best practice. C and D are correct, question doesn't specify/differentiates