Q61 — AWS DOP-C02 Ch.1

Question 61 of 100 | ← Chapter 1

A company runs applications in AWS accounts within an organization in AWS Organizations. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity across both AWS accounts managed by the company and any AWS accounts created outside the company’s governance. When the company detects such an event, it wants to use the corresponding Amazon Simple Notification Service (Amazon SNS) topic to notify its security operations team for investigation and remediation. According to AWS best practices, which solution meets these requirements?

Correct Answer: A. In the organization’s management account, configure one AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule using an event pattern to match GuardDuty findings and forward matching events to the SNS topic.

Explanation

Option A correctly implements AWS best practices: configuring a dedicated GuardDuty administrator account in the organization’s management account enables centralized threat detection across all member accounts—including externally created ones (via invitation or auto-enrollment). Using EventBridge in the administrator account to route GuardDuty findings to SNS provides immediate, reliable notification without requiring per-account deployment or relying on secondary services like Security Hub or CloudTrail alone. Options B, C, and D introduce unnecessary complexity, incomplete coverage (e.g., Security Hub depends on integrated services), or misaligned scope (e.g., CloudTrail trails alone do not detect compromised instances or network anomalies).