Threat Detection And Security Response — AWS SysOps Administrator (SOA-C03)
Threat Detection and Automated Response Require Two Connected Services
Requirement: detect compromised IAM credentials and automatically isolate the affected resource. Competing designs: CloudTrail anomaly review only vs. GuardDuty findings routed through EventBridge to a Lambda remediation function. The deciding constraint is automated response. CloudTrail records API calls but does not classify them as threats. GuardDuty analyzes behavioral patterns and generates actionable findings that EventBridge can act on in real time. Detection and remediation must be wired together — the exam tests whether you connect both.
What This Pattern Tests
The exam describes a security event and tests detection-to-response pipeline design. GuardDuty analyzes CloudTrail logs, VPC Flow Logs, DNS logs, and S3 data events for threats (compromised EC2, credential exfiltration, cryptocurrency mining). Security Hub aggregates findings from GuardDuty, Inspector, Config, and third parties with a compliance score. EventBridge routes findings to automated response. Lambda quarantines compromised resources (revoke IAM keys, isolate instances via security groups). The trap is stopping at detection (just enable GuardDuty) without designing the response chain.
Decision Axis
Detection scope (what threats to find) and response automation level (alert-only vs. auto-remediate) are independent design decisions.
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether to route GuardDuty findings through a native EventBridge event-pattern rule that invokes Lambda immediately on finding publication, or to schedule a Lambda function that polls the GuardDuty API on an interval — a choice that determines whether the 'within minutes' SLA is reliably met and whether polling infrastructure must be built and maintained.
Domain Coverage
Difficulty Breakdown