Exam AWS Certified Security - Specialty topic 1 question 364 discussion

Answer A https://aws.amazon.com/solutions/implementations/automated-security-response-on-aws/

D is correct.

The correct answer is A. Please refer to the link - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html

Using custom action to send findings to Events

I think A is correct.. but i need to investigate more! Is this flow valid? Hub=>EventBridge=>Lambda=>Hub=>EventBrdige=>Lambda=>SNS i'm still not sure if it's possible to use the Security Hub "custom actions" so "evaluate" findings with Lambda then notify Security Hub again to trigger a EventBridge which trigger another Lambda function.. sounds weird right? D could be also correct even though i don't like it

B and C are removed from the equation for the following reasons: Security Hub insights deliver generic detections, however the business requirement specifies the need to create a custom detection.

Answer A provides near real time threat detection and response.

Answer is A : The difference between A and D is : A focusses on remediation of Security hub findings which is what the question has asked for, not validating compliance of resources based on AWS config rules. D is correct if the question asks about validating compliance of resources.

Security Hub for centralized monitoring and response and automatic remediation.

My vote goes to A. Here's why: D is INCORRECT since you would only be able to detect changes in your AWS, but not other threats. B and C are INCORRECT since we are asked for CUSTOM, and both implement default findings or configuration. A is the one in my opinion.

B A proposes creating Security Hub custom actions and using Amazon EventBridge (Amazon CloudWatch Events) rules to invoke AWS Lambda functions to evaluate the configuration of the resource and send noncompliant resources to Security Hub. However, it does not specify any remediation action to be taken, so it would require manual intervention to remediate the noncompliant resources. Therefore, option B is the better solution for providing near-real-time response and automatic remediation for custom security detections throughout the organization.

The question requires "Custom Security Detection", so I go with D, AWS Config. You can create your own rules in config and get notified when it is not fulfilled any more and you can fix the issue with a lambda. Whereas in Security Hub you can only run some rules defined by AWS or some industry companies.

A, near real time is more effective with CloudWatch Events.

It is clearly B https://aws.amazon.com/blogs/security/use-security-hub-custom-actions-to-remediate-s3-resources-based-on-macie-discovery-results/

i think D for AWS Config

i think A https://aws.amazon.com/solutions/implementations/automated-security-response-on-aws/

I think A is correct. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cwe-custom-actions.html