Q27 — AWS DOP-C02 Ch.1
Question 27 of 100 | ← Chapter 1
A company has a VPC consisting of one public subnet and one private subnet. An application runs on Amazon EC2 instances in the private subnet. An application load balancer resides in the public subnet and distributes traffic to the EC2 instances. The company has enabled Amazon GuardDuty for the account. The DevOps team maintains a daily-updated external IP range list stored in an Amazon S3 bucket. The DevOps engineer needs to configure GuardDuty to generate findings when application traffic originates from IP ranges in that external list.
- A. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the latest external IP range list from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the publicIp filter attribute.
- B. Configure a threat list in GuardDuty with the source set to the external IP range list in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the GuardDuty threat list to match the external IP range list in the S3 bucket. ✓
- C. Configure a trusted IP list in GuardDuty with the source set to the external IP range list in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the GuardDuty trusted IP list to match the external IP range list in the S3 bucket.
- D. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the latest external IP range list from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the localIp filter attribute.
Correct Answer: B. Configure a threat list in GuardDuty with the source set to the external IP range list in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the GuardDuty threat list to match the external IP range list in the S3 bucket.
Explanation
Option B is correct because GuardDuty supports threat lists—external IP ranges that, when observed in traffic, automatically generate findings. Threat lists are designed precisely for this use case: detecting traffic from known malicious or unauthorized external IPs. Option A creates filters, which suppress or categorize existing findings but do not generate new ones. Option C configures a trusted IP list, which excludes traffic from those IPs from analysis—opposite to the requirement. Option D incorrectly targets localIp (internal IPs), not publicIp sources.