Amazon SCS-C03 Exam - Topic 4 Question 8 Discussion

Actual exam question for Amazon's SCS-C03 exam

Question #: 8
Topic #: 4

A company runs an application on a fleet of Amazon EC2 instances. The company can remove instances from the fleet without risk to the application. All EC2 instances use the same security group named ProdFleet. Amazon GuardDuty and AWS Config are active in the company's AWS account.

A security engineer needs to provide a solution that will prevent an EC2 instance from sending outbound traffic if GuardDuty generates a cryptocurrency finding event. The security engineer creates a new security group named Isolate that contains no outbound rules. The security engineer configures an AWS Lambda function to remove an EC2 instance from the ProdFleet security group and add it to the Isolate security group.

Which additional step will meet this requirement?

AConfigure GuardDuty to directly invoke the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

BConfigure an AWS Config rule that invokes the Lambda function if a CryptoCurrency:EC2/* configuration change event occurs for an EC2 instance.

CConfigure an Amazon EventBridge rule that invokes the Lambda function if GuardDuty generates a CryptoCurrency:EC2/* finding event.

DConfigure an Amazon EventBridge rule that invokes the Lambda function if AWS Config detects a CryptoCurrency:EC2/* configuration change event for an EC2 instance.

Show Suggested Answer

Suggested Answer: C

Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, includingCryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security -- Specialty documentation, GuardDuty findings are published as events toAmazon EventBridge(formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for buildingautomated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern---GuardDuty EventBridge Lambda remediation action---as a best practice for automated threat response and containment.

AWS Certified Security -- Specialty Official Study Guide

Amazon GuardDuty User Guide -- Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices

by Joseph at Apr 12, 2026, 05:21 AM

Limited Time Offer

25%

Off

Get Premium SCS-C03 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Karl

3 days ago

I remember we talked about how GuardDuty can trigger actions, but I'm not sure if it can directly invoke Lambda functions.

upvoted 0 times

...