ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 483 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 483
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company’s member accounts in AWS Organizations within the ap-east-1 Region. The company’s organization includes a management account, a security account, and many member accounts. When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account.

Which solution uses AWS security best practices and meets these requirements with the LEAST effort?

  • A. Activate Amazon GuardDuty in ap-east-1. Designate the security account as the GuardDuty delegated administrator by using the console.
  • B. Activate Amazon GuardDuty in ap-east-1 with trusted access to AWS Organizations. Designate the management account as the GuardDuty organization administrator.
  • C. Activate AWS Security Hub in ap-east-1. Designate the management account as the Security Hub delegated administrator by using the console.
  • D. Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations. Designate the security account as the organization administrator.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by cloudenthusiast at June 2, 2023, 6:57 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Noexperience
1 year, 9 months ago
Selected Answer: C
C. Activate AWS Security Hub in ap-east-1. Designate the management account as the Security Hub delegated administrator by using the console. AWS Security Hub is designed to provide a comprehensive view of your security posture across all your AWS accounts. It is integrated with other AWS services and supports automated security checks.
upvoted 3 times
...
Green53
1 year, 11 months ago
Selected Answer: A
Answer is either A or B (continuous threat detection). AWS docs ( https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html) state: Not recommended to set your organization's management account as the delegated administrator. Your organization's management account can be the delegated administrator, but this is not recommended based on AWS Security best practices following the principle of least privilege. Which leaves A. The security account should be responsible for managing GuardDuty.
upvoted 2 times
...
6_8ftwin
1 year, 11 months ago
Selected Answer: A
While trusted access to AWS Organizations is required, "If you configure a delegated administrator using the GuardDuty console, then GuardDuty automatically enables trusted access for you." https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-guardduty.html#integrate-enable-ta-guardduty The above definitely falls in the realm of "least effort". Also, as others pointed out, making the management account the delegated administrator is bad practice.
upvoted 4 times
...
Toptip
1 year, 11 months ago
Selected Answer: A
Only A makes sense. It is not recommended to make your organization’s management account the delegated administrator! this is not recommended by AWS Security best practices based on the principle of least privilege
upvoted 2 times
...
michele_scar
1 year, 11 months ago
Selected Answer: B
Trusted access required - but from security best practice It's not recommended using management account as delegated... so I was voting A
upvoted 1 times
...
cloudenthusiast
2 years ago
Selected Answer: B
By choosing option B, the company can deploy a continuous security threat-detection service at scale, automatically analyze all member accounts within the ap-east-1 Region, and review findings from the security account with minimal effort and adherence to AWS security best practices.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel