Q87 — AWS DOP-C02 Ch.2

Question 87 of 100 | ← Chapter 2

A company operates multiple accounts within an AWS Organizations organization. If any account in the organization disables the 'Block Public Access' setting on an Amazon S3 bucket, the company's SecOps team must receive an Amazon Simple Notification Service (Amazon SNS) notification. A DevOps engineer must implement this requirement without impacting any AWS account operations. The implementation must prevent individual member accounts in the organization from disabling notifications.

Correct Answer: A. Designate one account as the delegated Amazon GuardDuty administrator account. Enable GuardDuty across all accounts in the organization. In the GuardDuty administrator account, create an SNS topic and subscribe the SecOps team's email address. Also in that account, create an Amazon EventBridge rule with an event pattern for GuardDuty findings and the SNS topic as the target.

Explanation

Option A enables centralized management distinct from Option B. It leverages Amazon GuardDuty, which natively integrates with Amazon SNS and detects threats in AWS environments. In contrast, Option B requires custom CloudTrail-based EventBridge rules via CloudFormation, increasing complexity and operational overhead for monitoring and maintenance.