Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 180 discussion

C - AWS Health focuses on service status & planned changes. Correct answer is A - GuardDuty can detect exposed credentials and generates the finding UnauthorizedAccess and send the event to EventBridge to trigger the SNS.

Correct Answer: A. Create an Amazon EventBridge rule to send Amazon Simple Notification Service (Amazon SNS) email notifications for AWS Health events with the eventTypeCode AWS_RISK_CREDENTIALS_EXPOSED. Not C. Create an Amazon EventBridge rule that reacts to AWS Health events that have a value of Risk for the service category. Configure email notifications by using Amazon Simple Notification Service (Amazon SNS). While this captures a broader range of events, it may lead to unnecessary notifications. Focusing specifically on the AWS_RISK_CREDENTIALS_EXPOSED event ensures that alerts are relevant to exposed credentials.

The Answer is C, here is a similar solution: https://github.com/aws/aws-health-tools/blob/master/automated-actions/AWS_RISK_CREDENTIALS_EXPOSED/README.md Answer cannot be A because referenced finding type is exclusive to EC2 instance profiles, and is triggered only if instance session credentials are actually being used to authenticate as the instance. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws

answer A, no doubt

Its C, since Q asks for DETECTION, whereas A is only after the event, GuardDuty finding indicates compromised access has already happened.

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws A

Option A is the correct solution because it leverages Amazon GuardDuty to detect unauthorized use or exposure of AWS access keys and uses Amazon EventBridge along with Amazon SNS to provide automated email notifications, efficiently meeting the requirement with the least effort.