Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 14 discussion

Proactively monitor for suspicious behavior ✅ (This is GuardDuty’s job — not Security Hub’s) Option D is incorrect.

Option: D uses Security Hub (broad security visibility) + EventBridge (event-driven automation) + Lambda + SNS (custom remediation + notification) and aggregates findings in a central account, matching all requirements efficiently. Why Not the Other Options? A – GuardDuty can't invoke a Lambda directly; it needs EventBridge. B – While Security Hub supports findings and aggregation, AWS Config + SSM is more about configuration compliance than real-time incident remediation. C – Similar to D but uses GuardDuty only, which covers only specific threat detection. Security Hub provides broader visibility by consolidating findings from multiple tools.

This question has had me going back and forth for days. I use Stephane Maareks course and AWS docs as my sources. The bits I am getting tripped up by: 1. The question is not specifically about guard duty. For Security Hub to be enabled we can ascertain that AWS config has been enabled. Config rules could trigger findings. Security Hub can remediate this. 2. Option C says Guard Duty logs. Is this correct? Other options explicitly state "findings." Guard duty monitors various logs and pushes findings to Eventbridge. In Stephane Maarek's course, he has this exact architecture for Security hub remediation.

Security Hub serves as a central repository to store security findings from various services including Guard Duty. Option C limits security findings ONLY to Guard Duty. The requirement is to alert for any security finding and not just those from Guard Duty. D is more appropriate in my opinion.

Option C fits.

Difficult one, D could also be correct. Securityhub can trigger remediation and sns from different sources (cloudwatch, guardduty) Securityhub depends of guardduty. But guardduty depends of cloudwatch as well. Securityhub has a predefined remediation based on best practice. C and D are correct, question doesn't specify/differentiates

B C never addresses Remediation and why would you Configure the Lambda function to also publish notifications to the SNS topic when Security Hub works with AWS Config and AWS Systems Manager and push notificiations? The answer is B

Best answer is C One would not need SecurityHub to launch a response to GuardDuty finding. SecurityHub is security posture management tool, but without it GuardDuty can still responds to findings. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html

Security Hub by itself does not detect suspicious activity, but GuardDuty. Eventbridge rule is required to trigger remediation actions and SNS topic.

SecurityHub checks posture. GuardDuty monitors for malicious activity.

It's C. SecurityHub checks posture. GuardDuty monitors for malicious activity.

Option C responds to all requirements; automate remediation, notification via SNS, send logs to a dedicated account

I would say it is C as Guardduty must be turned on even for the security hub options. Also you can aggregate GuardDuty Findings and trigger Events. https://aws.amazon.com/blogs/security/how-to-manage-amazon-guardduty-security-findings-across-multiple-accounts/ https://repost.aws/knowledge-center/guardduty-eventbridge-sns-rule

Agree, it is C

Option C

Answer is C

Answer C https://www.youtube.com/watch?v=RGNMkhaT_GY