Q65 — AWS DOP-C02 Ch.2
Question 65 of 100 | ← Chapter 2
A company operates a single AWS account for active development. Its security team has enabled Amazon GuardDuty, AWS Config, and AWS CloudTrail in the account. The security team wants to receive near real-time notifications only for high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic to receive notifications from other security tools in the account.
- A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect GuardDuty findings. Use an input transformer to filter for high-severity event patterns. Configure the rule to publish messages to the SNS topic.
- B. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect high-severity GuardDuty findings that violate the 'guardduty-non-archived-findings' AWS Config managed rule. Configure the EventBridge (CloudWatch Events) rule to publish messages to the SNS topic.
- C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching high-severity GuardDuty ListFindings API calls. Configure the rule to publish messages to the SNS topic.
- D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching GuardDuty findings in the event where the severity level is high. Configure the rule to publish messages to the SNS topic. ✓
Correct Answer: D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern matching GuardDuty findings in the event where the severity level is high. Configure the rule to publish messages to the SNS topic.
Explanation
GuardDuty emits findings as CloudTrail events, and those events include a 'severity' field. Amazon EventBridge can directly match on this field using a simple event pattern (e.g., 'detail.severity': [{"numeric": [">=", 7]}]) without requiring API call monitoring or AWS Config rules. Option D correctly specifies an event pattern matching high-severity GuardDuty findings at the event level, enabling direct, low-latency notification delivery to SNS. Option A unnecessarily adds input transformation overhead. Option B conflates GuardDuty findings with AWS Config rules, which is invalid. Option C monitors API calls rather than findings themselves, introducing latency and complexity.