ExpertAWS SAP-C02 · Question 39 · Domain 3.2: Security Improvement
A security team wants to automate the response to compromised Amazon EC2 instances. If Amazon GuardDuty detects that an EC2 instance is communicating with a known command-and-control (C&C) server, the instance must be immediately isolated from the network, and a forensic snapshot of its EBS volume must be taken. What is the MOST automated way to achieve this?
A security team wants to automate the response to compromised Amazon EC2 instances. If Amazon GuardDuty detects that an EC2 instance is communicating with a known command-and-control (C&C) server, the instance must be immediately isolated from the network, and a forensic snapshot of its EBS volume must be taken. What is the MOST automated way to achieve this?
Answer options:
Use AWS Config rules to detect the GuardDuty finding and trigger an AWS Systems Manager Automation document.
Create an Amazon EventBridge rule triggered by GuardDuty findings. Route the event to an AWS Step Functions state machine that isolates the instance via Security Groups and triggers an EBS snapshot.
Configure Amazon Macie to monitor network traffic and trigger a Lambda function to isolate the instance.
Write a cron job on a management instance to poll the GuardDuty API every 5 minutes and execute a bash script.
How to approach this question
Full Answer
Common mistakes
Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7
75 questions · hints · full answers · grading