As an AWS System Administrator, you have enabled Amazon GuardDuty to identify and detect security issues in your AWS account continuously. You also need to set up relevant preventive actions based on different types of security findings. One preventive action is that when an EC2 instance is under brute force attacks, the SSH port would be closed in the security group automatically. How would you configure various preventative actions in the most appropriate way?

Answer options:

A.In the Amazon GuardDuty console, configure a Lambda function to take preventative actions for each type of findings.
B.Create a CloudWatch Event rule for the "source" of "aws.guardduty" and "detail-type" of "GuardDuty Finding" with a Lambda function target to take preventative actions.
C.Create a CloudWatch Event rule for the "source" of "AWS API Call via CloudTrail" and "detail-type" of "guardduty.amazonaws.com" with a Lambda function target to act upon the GuardDuty findings.
D.In AWS Config, configure the GuardDuty rule managed by AWS. Add a remediation Lambda function to customize the preventative actions.

Correct Answer: B
Option A is incorrect because, in the Amazon GuardDuty console, you cannot add a Lambda function for the findings. There is no such configuration.
Option B is CORRECT because CloudWatch events can get notified for all findings that GuardDuty generates. Users can add the custom logic in the target Lambda function to take the required actions.
Option C is incorrect because the "source" and "detail-type" of the CloudWatch Event rule are incorrect. The correct event pattern should be:
{
"source": [
"aws.guardduty"
],
"detail-type": [
"GuardDuty Finding"
]
}
Option D is incorrect because there is no such AWS managed rule in AWS Config that can get the GuardDuty findings. In this scenario, the correct AWS service to be used should be AWS CloudWatch instead of AWS Config.
References:
https://aws.amazon.com/guardduty/faqs/
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html