Practice Exams | AWS Certified Security – Specialty

Based on the provided text, it seems like you're looking for a summary and clarification of the correct approach to handle a security concern identified by GuardDuty and processed through AWS Security Hub, with further actions being triggered by Amazon EventBridge. Here's a concise explanation:

Use Case Summary: You have detected an unauthorized access attempt to an EC2 instance via RDP using GuardDuty. This finding has been ingested by AWS Security Hub and is then forwarded to Amazon EventBridge, which triggers a Lambda function to take immediate action.

Incorrect Options Explained:

1. Incorrect Option: Ingesting GuardDuty findings and triggering a Lambda function to update a Web Application Firewall (WAF) web ACL. This is incorrect because WAF protects applications against web exploits but cannot be used to control traffic originating from an EC2 instance, which is the focus of the RDP brute force attack.

2. Incorrect Option: Ingesting GuardDuty findings and triggering a Lambda function to update Network ACL rules. This is incorrect because Network ACLs apply to entire subnets, not individual instances, and thus could block more traffic than intended.

3. Correct Approach: Ingesting GuardDuty findings through AWS Security Hub and sending the events to Kinesis Data Streams via Amazon EventBridge. Then, use a Lambda function to update the security group associated with the suspicious EC2 instance. The Lambda function should modify the security group to block all inbound and outbound traffic while an investigation is ongoing or until the issue is resolved.

Correct Approach Detail: The correct approach involves the following steps:

• Security Hub detects a finding from GuardDuty indicating a potential RDP brute force attack on an EC2 instance.
• This finding is sent to Amazon EventBridge as an event.
• A Lambda function is triggered by the EventBridge event, which identifies the specific security group associated with the suspicious EC2 instance.
• The Lambda function then updates the security group rules to have no inbound and outbound rules, effectively isolating the instance to prevent further unauthorized access while the situation is assessed or mitigated.

Instructor Information: Stéphane Maarek is the instructor for this course, with extensive experience in teaching AWS certifications. Abhishek Singh assists as a co-instructor. The course offers practice exams with a large question bank, instructor support, detailed explanations for each question, mobile compatibility via the Udemy app, and a 30-day money-back guarantee if not satisfied.

Conclusion: The correct method to respond to an unauthorized access attempt detected by GuardDuty is to use AWS Security Hub and Amazon EventBridge in conjunction with a Lambda function to update the security group associated with the affected EC2 instance. This approach provides immediate and targeted action to secure your environment against potential threats.