🔥 3-day streak
AWS Certified DevOps Engineer - Professional161 / 204
Question 161 of 204

A company operates a central Security account and many workload accounts under AWS Organizations. When GuardDuty in any workload account produces a high-severity finding, an EventBridge rule in the central account (which receives findings via a cross-account event bus) must trigger an AWS Systems Manager Automation runbook that isolates the affected EC2 instance in the workload account where it resides. During testing, the runbook fails with an access-denied error when it attempts to modify the instance's security group. The Automation document is executed via an EventBridge target using a role in the central account. What is the MOST appropriate way to allow the runbook to remediate resources in the workload accounts?

Reviewed for accuracy · Report an issueNext question