Q65 — AWS DOP-C02 Ch.2

Question 65 of 100 | ← Chapter 2

A company operates a single AWS account for active development. Its security team has enabled Amazon GuardDuty, AWS Config, and AWS CloudTrail in the account. The security team wants to receive near real-time notifications only for high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic to receive notifications from other security tools in the account.

Correct Answer: D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching GuardDuty findings in the event where the severity level is high. Configure the rule to publish messages to the SNS topic.

Explanation

GuardDuty emits findings as CloudTrail events, and those events include a 'severity' field. Amazon EventBridge can directly match on this field using a simple event pattern (e.g., 'detail.severity': [{"numeric": [">=", 7]}]) without requiring API call monitoring or AWS Config rules. Option D correctly specifies an event pattern matching high-severity GuardDuty findings at the event level, enabling direct, low-latency notification delivery to SNS. Option A unnecessarily adds input transformation overhead. Option B conflates GuardDuty findings with AWS Config rules, which is invalid. Option C monitors API calls rather than findings themselves, introducing latency and complexity.