Q93 — AWS DOP-C02 Ch.1

Question 93 of 100 | ← Chapter 1

A company runs applications in AWS accounts that reside within an organization in AWS Organizations. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity in both existing AWS accounts and any newly created AWS accounts. When such an event is detected, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to notify the security response team for investigation and remediation.

Correct Answer: A. In the organization’s management account, configure the AWS account as an Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule with an event pattern matching GuardDuty findings and forward matched events to the SNS topic.

Explanation

The scenario requires centralized threat detection across existing and future accounts in an AWS Organization, with automated notification via SNS. GuardDuty natively integrates with AWS Organizations: enabling it in the management account automatically monitors all member accounts—including newly added ones—without manual invitation or per-account setup. Option A correctly implements this: designate a GuardDuty admin account, add members, and use EventBridge to route findings to SNS. Option B introduces unnecessary complexity with invitations and stack sets. Options C and D rely on Security Hub, CloudTrail, and VPC flow logs—less direct for detecting compromised instances and anomalous behavior than GuardDuty’s purpose-built ML models. Per AWS best practices, option A delivers the simplest, most scalable, and most effective solution.