🔥 3-day streak
AWS Certified Security - Specialty141 / 157
Question 141 of 157
A security team has built an automated incident-response pipeline. When GuardDuty detects a compromised EC2 instance, EventBridge triggers a Systems Manager Automation runbook that isolates the instance by replacing its security group and creating a forensic snapshot. During testing, the team discovered that the runbook occasionally isolated production instances that were later found to be benign, causing outages. The team wants automated containment to proceed immediately for instances tagged Environment=dev, but require a human approval before containment executes on instances tagged Environment=prod. Which approach best meets this requirement with the least custom code?
Reviewed for accuracy · Report an issueNext question