Q32 — AWS DOP-C02 Ch.1

Question 32 of 100 | ← Chapter 1

A company runs applications in AWS accounts within an AWS Organizations organization. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity across all AWS accounts—including newly created ones—and send notifications to an Amazon SNS topic for investigation and remediation.

Correct Answer: B. In the organization’s management account, configure Amazon GuardDuty to invite newly created AWS accounts and send invitations to existing AWS accounts. Create an AWS CloudFormation StackSet that accepts GuardDuty invitations and deploys an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern matching GuardDuty findings and forwarding matched events to the SNS topic. Deploy the StackSet to all AWS accounts in the organization.

Explanation

Option B is correct because it leverages AWS CloudFormation StackSets to automatically onboard new accounts into GuardDuty and deploy standardized EventBridge rules—ensuring consistent, scalable, and automated threat detection and alerting. GuardDuty natively detects compromised EC2 instances, suspicious network activity, and anomalous API calls, and integrates seamlessly with EventBridge. Option A fails to handle newly created accounts automatically. Options C and D rely on Security Hub, which aggregates findings from multiple services (including GuardDuty) but introduces latency and complexity; they also unnecessarily mandate VPC Flow Logs and CloudTrail trails when GuardDuty alone suffices for the stated requirements.