AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct solution is to use a centralized, event-driven architecture. In the delegated GuardDuty administrator account, an Amazon EventBridge rule is created to specifically filter for the CryptoCurrency:EC2/BitcoinTool.B finding. This rule's target is a Lambda function in the same administrator account. When triggered, the Lambda function's code extracts the member account ID and instance ID from the GuardDuty finding details. It then assumes a pre-configured, cross-account IAM role in the target member account. This cross-account role is trusted only by the Lambda function's execution role and has a narrowly scoped IAM policy granting only the ec2:ModifyInstanceAttribute permission, which is required to change an instance's security groups. This approach is centralized, automated, scalable, and adheres to the principle of least privilege.

Deploying an EventBridge rule and Lambda function in each member account is incorrect because it is not a centralized solution. It creates significant operational overhead for management, updates, and ensuring consistency across a large number of accounts.

Using an S3 bucket as an intermediary is incorrect because it adds unnecessary complexity and latency compared to the direct integration between GuardDuty and EventBridge. While GuardDuty can export findings to S3, using EventBridge for real-time, event-driven automation is the more efficient and standard pattern.

Using a Lambda function with hardcoded IAM user access keys for each member account is a major security anti-pattern and is therefore incorrect. This approach violates the principle of least privilege and introduces the significant risk of exposed long-lived credentials. Cross-account IAM roles are the secure way to grant temporary, programmatic access between accounts.