Certified Ethical Hacker (CEH) Practice Question

When an AWS Lambda function is deployed through AWS Serverless Application Model (SAM), CloudFormation, or other IaC pipelines, the code package is stored in an immutable version managed by AWS Lambda. If any change is made outside the deployment pipeline-such as a tester overwriting the handler file inside the execution environment-the next invocation will launch a fresh read-only copy of the most recently published version from Amazon S3. This auto-healing occurs because Lambda containers are ephemeral; every invocation can be served by a new container that is rebuilt from the stored deployment package. The feature responsible for providing that clean copy is the read-only code package of each Lambda version, which is automatically mounted by the Lambda service. Other services listed do not themselves overwrite function code: CodeDeploy handles traffic shifting between versions but does not rewrite the package; CloudTrail only logs API calls; and GuardDuty is a threat-detection service with no remediation capability.