ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 137 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 137
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.

Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.

Which solution will meet these requirements?

  • A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
  • B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
  • C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
  • D. Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by traveller37 at Sept. 1, 2023, 11:02 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
traveller37
Highly Voted 1 year, 8 months ago
I think C: https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
upvoted 14 times
traveller37
1 year, 8 months ago
Sorry i means B
upvoted 1 times
denccc
1 year, 5 months ago
You mean C?
upvoted 1 times
...
...
...
RVivek
Highly Voted 1 year, 7 months ago
Selected Answer: C
C is correct . Only Network Firewall can block traffic at VPC level. A only updates the list , no blocking action B- WAF and Web ACL can block only HTTPS traffic for a API/VPC endpoint/ Cloudfron distribution not for enire VPC
upvoted 11 times
...
jamesf
Most Recent 9 months, 1 week ago
Selected Answer: C
C, AWS Network Firewall can block traffic at VPC level. https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
upvoted 2 times
...
zijo
10 months ago
Selected Answer: C
B blocks traffic at the http/https web traffic layer not for VPC layer
upvoted 1 times
...
thanhnv142
1 year, 2 months ago
Selected Answer: C
C is correct: <a solution to automatically deny traffic> means network FW. A: irrelevant B: We need network fw, not WAF D: irrelevant
upvoted 3 times
...
yorkicurke
1 year, 5 months ago
hmmm is this the last question as of now(25th Nov 23)
upvoted 1 times
...
Dushank
1 year, 7 months ago
Selected Answer: C
Here's the rationale for choosing this option: AWS Network Firewall: AWS Network Firewall is designed to provide centralized network traffic inspection and filtering. It's a suitable choice for implementing network-level controls. Lambda Function for Automation: Creating a Lambda function to trigger the creation of a Drop action rule in the firewall policy allows for automated response based on Security Hub findings. This enables you to take immediate action when suspicious sources are detected. Specific Action (Drop): The Drop action rule is effective for denying traffic from suspicious sources, effectively controlling access and preventing unwanted traffic. This approach aligns well with the requirement to automatically deny traffic when GuardDuty identifies a new suspicious source, enhancing security in the multi-tenant VPC environment.
upvoted 7 times
...
RVivek
1 year, 7 months ago
Selected Answer: B
A only will upadte threat list. the requirement is to block the taffic. B is corerect. Also it is event driven immditae action
upvoted 1 times
...
vladik820
1 year, 7 months ago
Selected Answer: A
A is right
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago