Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 62 discussion

Answer A https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-remediation-for-aws-security-hub-standard-findings.html

Another tricking question. EventBridge integrates with SecurityHub in 3 different ways.. 1. All findings (SH Imported) 2. Findings for custom actions (SH Custom Actions) 3. Insights for custom actions (SH Insights) (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-integration-types.html) You do not always need custom actions for EB integration, and to automatically remediate findings as in this scenario, 1st type of integration is required. Answer is A.

Option B involves setting up a custom action in Security Hub and configuring the custom action to call AWS Systems Manager Automation runbooks to remediate the findings. While this approach can be effective, it requires manual intervention to trigger the custom action. This means that someone would need to manually select the custom action for each finding, which does not fully automate the remediation process. On the other hand, option A leverages Amazon EventBridge to automatically react to new Security Hub findings and triggers an AWS Lambda function to remediate the findings. This approach ensures that the remediation process is fully automated and immediate, without requiring any manual intervention. It provides a more seamless and efficient solution for automatically addressing security findings.

The requirement is automate response. EventBridge rules automatically actions when triggered, while Security Hub actions are manually triggered.

While Option A can work, it lacks the direct integration with custom actions in Security Hub that Option B provides. Custom actions allow you to define specific remediation steps based on findings, which is more efficient and streamlined. Therefore, I recommend considering Option B for automated remediation. https://amer.resources.awscloud.com/security-assets/aws-security-hub-automated-response-and-remediation-implementation-guide

B is correct

Answer B Custom action is a native feature for Security Hub when using a 3rd-party library. Then you need to use Systems Manager Automation runbooks. Answer A (EventBridge+Lambda) can be used for standard findings.

Verty tricky one. A,B and C can all be implemented. and we havent asked for easy,quickly or something like that a solution. so reason for not picking others A:- could also be used but would require additional steps to configure rules to route findings from this specific third-party source to the appropriate target. Custom actions provide a native option within Security Hub. C:- identical to B. same reasoning that Custom actions provide a native option within Security Hub. to be honest i could go for any out of these three. even though i chose B. Arghhhh

To remediate the findings automatically, option A describes about the best practices..