Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 8 discussion

Let Guardduty detections be sent to Security Hub as findings is a simple and elegant way. https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html Use eventbridge to respond by invoke Lambda. Amazon Kinesis data stream not needed. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html Suggest to only block specific port 389 against thse suspicious EC2 instance instead of isolate it in a security group, to minimize the impact while it has not been verified as a confirmed attack.

C, because as security groups (in the option D) is stateful, changing it will not affect if the RDP was already successful.

Why is D the best option? AWS Security Hub can aggregate security findings from GuardDuty and other AWS services. EventBridge (or a similar event-driven system) can be used to trigger specific actions in response to GuardDuty findings. Lambda can process the event and implement automatic remediation actions. In this solution, the Lambda function would modify the security group of the suspicious EC2 instance, effectively blocking all incoming and outgoing traffic by applying a security group that does not allow connections. This is an effective way to isolate the instance until further investigation.

Option C is the best answer. The Network Firewall has IPS/IDS and works at layers 3 and 4 providing the best protection against the RDP (3389) attack in this situation for the EC2. The WAF is optimal for protection against threats targeting HTTP/HTTPS ( 80, 443) web traffic. D is incorrect Security Groups do not block outbound traffic.

No A: Kenesis is for a stream of data. Guardduty will report (raise alarm) but no need of apache flink Not B: WAF is for a web application (80, 443), the attack will be initiated from a EC2 (internal company machine) it doesn't specify the target location local or extern, but it will be RDP Not D- SG will not block outbound traffic (stateful). SG will not be enough, the ec2 initiates the attack C is the simplest and more correct as FW will block any traffic from/to ec2

Option B. We have to consider that Security team has to be noticed. There is nothing about that on the other answers.

While Option C is technically feasible and provides robust network-level protection using AWS Network Firewall, it is more complex and might be an overkill for the specific task of quickly isolating individual EC2 instances. Option D offers a more direct and simpler approach by replacing the security group of the suspicious instance, which is generally easier to manage and quicker to implement in the context of isolating instances based on GuardDuty findings. Therefore, while Option C can meet the requirements, Option D is more appropriate and efficient for the specific task of blocking communication from suspicious instances quickly and effectively.

1. No point to use Kinesis Data Stream/analytics/Apache flink to stream and process event. 2. Neither WAF nor NACL is an effective solution to the mentioned case 3. GuardDuty findings can be sent directly to Amazon EventBridge to trigger action, but deploying SecurityHub is not entirely wrong. 4. AWS Network Firewall is better suited to block suspicious instances. Option C is the correct answer.

I would go with C, as option D will block any connection to the Ec2 machine, which is not what you want, and security groups are easier and at the endpoint level.

Here is some basics: WAF protects the port 443 / 80. RDP is different port and nothing to do with Layer 7 nor WAF

D is the answer. we need identify the best method - tech and cost. implied. WAF is layer 7 prevention . FW is layer 3 - 7. WEB ACL can prevent layer 7. RDP is mostly Layer 7. password guessing etc https://repost.aws/knowledge-center/waf-prevent-brute-force-attacks

Hello, correct my understanding agree with answer C.

When GuardDuty is there, do not understand what is requirement to integrate Security Hub.

Answer B correct. Requested first scenario of RDP brute force attack. Neither NACL, Network Firewall, and Security Group support to block, only WAF help to block traffic based on pattern.

C is the answer

To isolate there is nothing more powerful that an ACL at subnet level, which immediately denies traffic in any direction. Wishing to automate, there is no choice to use ACL, as you do not know the exact IP of the source is attacking, thus, you do apply security group restiction. The need of Kinesys Data Streams is to process real-time events while happening. A firewall you do not usually automate at his has complex features needs to be set via IaC or console.

C SecurityGroup is a simpler way of isolating a suspicious instance, unlike Network Firewall that is a paid service. EventBridge is needed to relay events to Kinesis Data Stream. At that point, what is the need to Kinesis Data Stream? Lambda function could be invoked directly from EventBridge. For that, I'd go with C.