Q32 — AWS DOP-C02 Ch.1
Question 32 of 100 | ← Chapter 1
A company runs applications in AWS accounts within an AWS Organizations organization. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity across all AWS accounts—including newly created ones—and send notifications to an Amazon SNS topic for investigation and remediation.
- A. In the organization’s management account, configure one AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add existing company AWS accounts as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching GuardDuty findings and forwarding matched events to the SNS topic.
- B. In the organization’s management account, configure Amazon GuardDuty to invite newly created AWS accounts and send invitations to existing AWS accounts. Create an AWS CloudFormation StackSet that accepts GuardDuty invitations and deploys an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern matching GuardDuty findings and forwarding matched events to the SNS topic. Deploy the StackSet to all AWS accounts in the organization. ✓
- C. In the organization’s management account, create an AWS CloudTrail organization trail. Enable the organization trail in all AWS accounts. Create a Service Control Policy (SCP) enabling VPC Flow Logs in each account. Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching Security Hub findings and forwarding matched events to the SNS topic.
- D. In the organization’s management account, configure an AWS account as the AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail and add existing AWS accounts to it. Create an SCP enabling VPC Flow Logs in each account. Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching Security Hub findings and forwarding matched events to the SNS topic.
Correct Answer: B. In the organization’s management account, configure Amazon GuardDuty to invite newly created AWS accounts and send invitations to existing AWS accounts. Create an AWS CloudFormation StackSet that accepts GuardDuty invitations and deploys an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern matching GuardDuty findings and forwarding matched events to the SNS topic. Deploy the StackSet to all AWS accounts in the organization.
Explanation
Option B is correct because it leverages AWS CloudFormation StackSets to automatically onboard new accounts into GuardDuty and deploy standardized EventBridge rules—ensuring consistent, scalable, and automated threat detection and alerting. GuardDuty natively detects compromised EC2 instances, suspicious network activity, and anomalous API calls, and integrates seamlessly with EventBridge. Option A fails to handle newly created accounts automatically. Options C and D rely on Security Hub, which aggregates findings from multiple services (including GuardDuty) but introduces latency and complexity; they also unnecessarily mandate VPC Flow Logs and CloudTrail trails when GuardDuty alone suffices for the stated requirements.