Amazon GuardDuty generates security findings when it detects suspicious or malicious activity, including CryptoCurrency:EC2/* findings that indicate an EC2 instance may be involved in unauthorized cryptocurrency mining. According to AWS Certified Security – Specialty documentation, GuardDuty findings are published as events to Amazon EventBridge (formerly Amazon CloudWatch Events).

Amazon EventBridge is the recommended service for building automated incident response workflows. By creating an EventBridge rule that listens for GuardDuty findings of type CryptoCurrency:EC2/*, the security engineer can automatically invoke a Lambda function to isolate the affected EC2 instance by modifying its security group attachments.

Option A is incorrect because GuardDuty does not directly invoke Lambda functions. Option B and Option D are incorrect because AWS Config tracks configuration compliance and resource changes, not real-time threat detection events. Cryptocurrency findings are security detections, not configuration changes.

AWS documentation explicitly describes this pattern—GuardDuty → EventBridge → Lambda → remediation action—as a best practice for automated threat response and containment.

AWS Certified Security – Specialty Official Study Guide

Amazon GuardDuty User Guide – Findings

Amazon EventBridge User Guide

AWS Incident Response Best Practices