ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A security team ingests Linux bastion-host logs from Amazon CloudWatch Logs into AWS Security Hub through an Amazon EventBridge rule. During a recent penetration test, thousands of authentication failure messages from a well-known Internet scanner generated so many findings that analysts struggled to spot truly suspicious activity. The team has already restricted the scanner's IP ranges at the VPC network ACL, but the repetitive log entries and resulting findings continue to arrive.
Which solution will best reduce alert noise while still ensuring that new malicious source IP addresses are detected and forwarded to Security Hub for investigation?
Disable SSH logging on the bastion host to prevent the generation of authentication failure messages that trigger the excessive findings.
Create GuardDuty suppression rules for the scanner's IP address ranges so findings that match those sources are automatically archived before analysts see them.
Add a CloudWatch Logs metric filter that excludes every auth failure (FAILED_AUTH) record from the bastion-host log group so Security Hub no longer receives these events.
Configure a CloudWatch Logs subscription filter that streams events to an AWS Lambda function; have the function drop events from the scanner's IP ranges and forward only previously unseen sources to Security Hub.
Creating a CloudWatch Logs subscription that invokes an AWS Lambda function lets the team inspect each log event as it is streamed out of the log group. The function can compare the source IP in each authentication-failure message against a maintained list of the scanner's published address ranges. If the IP is on the allowlist, the function simply discards the event; if it is not, the function formats the remaining events as AWS Security Finding Format (ASFF) data and pushes them to Security Hub by calling BatchImportFindings. This approach suppresses only the known benign noise while continuing to surface previously unseen attack sources.
Ignoring all FAILED_AUTH events at the metric-filter level (choice A) or disabling SSH logging entirely (choice C) would eliminate visibility into any new brute-force attempts. Using GuardDuty suppression rules (choice B) would hide findings generated by GuardDuty, not the CloudWatch-derived findings already burdening analysts, and would require shifting detection logic to a different service. Therefore, forwarding only non-allow-listed events through a Lambda-based subscription filter is the most effective and precise way to reduce noise without losing important security intelligence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CloudWatch Logs subscription filter?
Open an interactive chat with Bash
How does AWS Lambda process and filter log events?
Open an interactive chat with Bash
What is the AWS Security Finding Format (ASFF)?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Risk Identification, Monitoring and Analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .