Q88 — AWS DOP-C02 Ch.2
Question 88 of 100 | ← Chapter 2
A company manages a multi-tenant environment in a VPC and has configured Amazon GuardDuty for corresponding AWS accounts. The company forwards GuardDuty investigation results to AWS Security Hub. Volume-based anomalies have been detected from suspicious sources. A DevOps engineer needs to implement a solution that automatically blocks traffic across the entire VPC when GuardDuty identifies new suspicious sources.
- A. Create a GuardDuty threat list. Configure GuardDuty to reference that list. Create an AWS Lambda function that updates the threat list. Configure the Lambda function to run in response to new Security Hub findings from GuardDuty.
- B. Configure an AWS WAF web ACL with a custom rule group. Create an AWS Lambda function that adds a block rule to the custom rule group. Configure the Lambda function to run in response to new Security Hub findings from GuardDuty.
- C. Configure an AWS Network Firewall. Create an AWS Lambda function that adds a drop-action rule to the firewall policy. Configure the Lambda function to run in response to new Security Hub findings from GuardDuty. ✓
- D. Create an AWS Lambda function that creates a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings from GuardDuty.
Correct Answer: C. Configure an AWS Network Firewall. Create an AWS Lambda function that adds a drop-action rule to the firewall policy. Configure the Lambda function to run in response to new Security Hub findings from GuardDuty.
Explanation
AWS Network Firewall supports centralized VPC traffic rule management and allows defining global block actions via firewall policies. The scenario requires automatic blocking of all VPC traffic upon threat detection; AWS Network Firewall’s rule-update mechanism directly satisfies this need. In Option C, the Lambda function responds to GuardDuty events and dynamically adds firewall rules, ensuring all traffic is inspected and blocked. Other options either apply only to specific traffic types (WAF), merely tag instead of blocking (threat list), or suppress alerts without blocking traffic (suppression rule), failing to globally block VPC traffic.