Q19 — AWS SCS-C02 Ch.1
Question 19 of 100 | ← Chapter 1
>A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour. The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the company's visibility of potential anomalous behavior. Which solution will meet these requirements?
- A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
- B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.
- C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria. ✓
- D. Create an AWS Lambda function that has the appropriate permissions to delete the finding whenever a new occurrence is reported.
Correct Answer: C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
Explanation
Amazon GuardDuty提供抑制规则功能,允许用户根据特定条件(如实例ID、IP地址、标签等)自动归档符合条件的发现,从而减少重复处理已知的误报。题目场景中,FTP服务器的正常流量被误判为暴力攻击,通过抑制规则可以过滤这些已知的合法流量触发的告警。选项C不会影响GuardDuty对其他潜在威胁的检测,仅对符合条件的告警静默处理。选项A关闭特定区域的FTP规则会降低整体监控能力;B信任IP列表不适用于动态客户端地址;D自动化删除告警会破坏审计追踪和可见性。GuardDuty官方文档推荐使用抑制规则管理误报以提高告警效率。