Q93 — AWS DOP-C02 Ch.1
Question 93 of 100 | ← Chapter 1
A company runs applications in AWS accounts that reside within an organization in AWS Organizations. These applications use Amazon EC2 instances and Amazon S3. The company wants to detect potentially compromised EC2 instances, suspicious network activity, and anomalous API activity in both existing AWS accounts and any newly created AWS accounts. When such an event is detected, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to notify the security response team for investigation and remediation.
- A. In the organization’s management account, configure the AWS account as an Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule with an event pattern matching GuardDuty findings and forward matched events to the SNS topic. ✓
- B. In the organization’s management account, configure Amazon GuardDuty to add newly created AWS accounts via invitation and send invitations to existing AWS accounts. Create an AWS CloudFormation stack set that accepts GuardDuty invitations and creates an Amazon EventBridge rule. Configure the rule with an event pattern matching GuardDuty findings and forwarding matched events to the SNS topic. Configure the CloudFormation stack set to deploy across all AWS accounts in the organization.
- C. In the organization’s management account, create an AWS CloudTrail organization trail. Activate organization-wide CloudTrail logging for all AWS accounts in the organization. Create a service control policy (SCP) to enable VPC flow logs in every account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge rule with an event pattern matching Security Hub findings and forward matched events to the SNS topic.
- D. In the organization’s management account, configure the AWS account as an AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing AWS accounts to the organization trail. Create an SCP to enable VPC flow logs in every account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge rule with an event pattern matching Security Hub findings and forward matched events to the SNS topic.
Correct Answer: A. In the organization’s management account, configure the AWS account as an Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts as members to GuardDuty. In the GuardDuty administrator account, create an Amazon EventBridge rule with an event pattern matching GuardDuty findings and forward matched events to the SNS topic.
Explanation
The scenario requires centralized threat detection across existing and future accounts in an AWS Organization, with automated notification via SNS. GuardDuty natively integrates with AWS Organizations: enabling it in the management account automatically monitors all member accounts—including newly added ones—without manual invitation or per-account setup. Option A correctly implements this: designate a GuardDuty admin account, add members, and use EventBridge to route findings to SNS. Option B introduces unnecessary complexity with invitations and stack sets. Options C and D rely on Security Hub, CloudTrail, and VPC flow logs—less direct for detecting compromised instances and anomalous behavior than GuardDuty’s purpose-built ML models. Per AWS best practices, option A delivers the simplest, most scalable, and most effective solution.