AWS · SAP-C02

Threat Detection And Security Response — AWS Solutions Architect Pro (SAP-C02)

3%of exam questions (5 of 200)

GuardDuty Generates Findings; EventBridge Routes Them to Action

GuardDuty analyzes VPC flow logs, DNS query logs, and CloudTrail events to detect threats. It does not take remediation action. The response pipeline is a separate architectural decision. EventBridge receives GuardDuty findings and routes them to Lambda for automated isolation or to SNS for human escalation, depending on finding type and confidence level. High-confidence findings with narrow blast radius, such as a known malicious IP communicating with an EC2 instance, justify fully automated response via Lambda. Lower-confidence or broader findings should route to a Step Functions workflow that inserts a human approval step before any destructive action executes, preventing false-positive blast radius from automated remediation.

What This Pattern Tests

The exam describes a security event and tests detection-to-response pipeline design. GuardDuty analyzes CloudTrail logs, VPC Flow Logs, DNS logs, and S3 data events for threats (compromised EC2, credential exfiltration, cryptocurrency mining). Security Hub aggregates findings from GuardDuty, Inspector, Config, and third parties with a compliance score. EventBridge routes findings to automated response. Lambda quarantines compromised resources (revoke IAM keys, isolate instances via security groups). The trap is stopping at detection (just enable GuardDuty) without designing the response chain.

Decision Axis

Detection scope (what threats to find) and response automation level (alert-only vs. auto-remediate) are independent design decisions.

Associated Traps

Near-Right Architecture (5)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Operational Complexity Underestimation · 39%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether GuardDuty findings are centrally aggregated via Security Hub and automatically routed through EventBridge to trigger alerts (full pipeline satisfies the SLA), versus GuardDuty enabled org-wide with a delegated admin but no Security Hub aggregation or EventBridge notification rule (detection is real and multi-account but the alert SLA is unmet because no automated response stage exists).

Amazon GuardDutyAWS Security HubAmazon EventBridge

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Medium: 5

Build recognition speed →

See all SAP-C02 patterns →