Q61 — AWS DOP-C02 Ch.1
Question 61 of 100 | ← Chapter 1
A company runs applications in AWS accounts within an organization in AWS Organizations. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity across both AWS accounts managed by the company and any AWS accounts created outside the company’s governance. When the company detects such an event, it wants to use the corresponding Amazon Simple Notification Service (Amazon SNS) topic to notify its security operations team for investigation and remediation. According to AWS best practices, which solution meets these requirements?
- A. In the organization’s management account, configure one AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule using an event pattern to match GuardDuty findings and forward matching events to the SNS topic. ✓
- B. In the organization’s management account, configure Amazon GuardDuty to invite newly created AWS accounts and send invitations to existing AWS accounts. Create an AWS CloudFormation StackSet that accepts GuardDuty invitations and creates Amazon EventBridge rules. Configure the rule using an event pattern to match GuardDuty findings and forward matching events to the SNS topic. Configure the StackSet to deploy to all AWS accounts in the organization.
- C. In the organization’s management account, create an AWS CloudTrail organization trail. Activate the organization trail in all AWS accounts in the organization. Create an SCP to enable VPC Flow Logs in every account in the organization. Enable AWS Security Hub for the organization. Create an Amazon EventBridge rule using an event pattern to match Security Hub findings and forward matching events to the SNS topic.
- D. In the organization’s management account, configure one AWS account as the AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing AWS accounts to the organization trail. Create an SCP to enable VPC Flow Logs in every account in the organization. Enable AWS Security Hub for the organization. Create an Amazon EventBridge rule using an event pattern to match Security Hub findings and forward matching events to the SNS topic.
Correct Answer: A. In the organization’s management account, configure one AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule using an event pattern to match GuardDuty findings and forward matching events to the SNS topic.
Explanation
Option A correctly implements AWS best practices: configuring a dedicated GuardDuty administrator account in the organization’s management account enables centralized threat detection across all member accounts—including externally created ones (via invitation or auto-enrollment). Using EventBridge in the administrator account to route GuardDuty findings to SNS provides immediate, reliable notification without requiring per-account deployment or relying on secondary services like Security Hub or CloudTrail alone. Options B, C, and D introduce unnecessary complexity, incomplete coverage (e.g., Security Hub depends on integrated services), or misaligned scope (e.g., CloudTrail trails alone do not detect compromised instances or network anomalies).