Automated Security Remediation Design — AWS Solutions Architect Pro (SAP-C02)
GuardDuty Routes to Lambda or Step Functions Based on Confidence
A GuardDuty finding that identifies a known malicious IP communicating with an EC2 instance carries high confidence and a narrow, reversible remediation: Lambda modifies the security group to isolate the instance automatically. A finding that a principal is accessing an unusual number of S3 buckets carries lower confidence with broader implications; automated isolation could disrupt a legitimate batch job. Lower-confidence findings should route to a Step Functions workflow with a manual approval task before any destructive action executes. The design principle is to match automation depth to finding confidence and action reversibility. High-confidence, narrow-blast-radius findings justify full automation; broader or ambiguous findings require a human review step.
What This Pattern Tests
The exam tests automated remediation pipeline design. AWS Config rules evaluate resource configurations continuously. When a rule detects non-compliance (S3 bucket without encryption, security group with 0.0.0.0/0 SSH), SSM Automation or Lambda remediates automatically. Config records the compliance timeline. CloudTrail records the remediation API calls. The trap is designing detection without remediation, or remediation without audit logging. The exam expects all three: detect, fix, prove you fixed it.
Decision Axis
Remediation speed (immediate auto-fix vs. notification and manual review) vs. change control requirements (some environments require approval before auto-remediation).
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether to use native AWS Config auto-remediation actions backed by AWS-managed SSM Automation runbooks versus a custom EventBridge-to-Lambda remediation pipeline, when the binding constraint is eliminating new Lambda function ownership and minimizing ongoing operational overhead across a multi-account organization.
Domain Coverage
Difficulty Breakdown