Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 90 discussion

BD are the correct options here. The keywords here are "developing an incident response plan to detect suspicious activity". There is no better way to develop incident response plan without providing a way for the relevant stakeholders to take actions or respond to suspicious activities. B is an obvious option because GuardDuty can monitor and analyze API calls across all AWS Regions, and network activities found in Amazon CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs. Therefore, option A is not needed since GuardDuty monitoring activities include the VPC Flow Logs. There is no better way to respond to the findings generated by GuardDuty than the services described in option D.

A and B are correct for sure. The question does not mention anything about "notifications" or "communications", so D is incorrect. A is correct because the question mentions visibility and detection. You get visibility into network traffic with VPC flow logs. B is correct because because we need to "detection" threats. GaurdDuty is a threat detection capability.

VPC Flow logs are not enabled by default. therefore you need to enable them before guardDuty

B. Activate Amazon GuardDuty across all AWS Regions D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an Amazon EventBridge rule that responds to findings and publishes the findings to the SNS topic. Here's why: Amazon GuardDuty (Option B): Provides continuous security monitoring with minimal operational overhead Uses machine learning to detect threats and suspicious activities Can be enabled across all regions from a single management account Has a pay-as-you-go pricing model with no upfront costs Automatically analyzes various AWS logs (VPC Flow Logs, CloudTrail, DNS logs) without having to explicitly enable them EventBridge rule with SNS (Option D): Provides a serverless way to route GuardDuty findings SNS is very cost-effective for notification delivery Allows flexible integration with multiple notification endpoints Can easily scale across regions

VPC Flow Logs need to be enabled first in order for them to be analyzed by GuardDuty.

Using SNS + Evenbridge does not seem the most analytical and proper way to do it. It does not contribute to detect threats by itself. I think Guarduty + VPC flows is much more cost effective and straitghtforward solution. And with VPC flows you must only pay for data storage.

You don't need to enable VPC flow logs for Amazon GuardDuty because GuardDuty already pulls data from VPC Flow Logs. GuardDuty is a threat detection service that monitors for malicious activity in AWS accounts and workloads. It integrates with other AWS security services, including: Amazon CloudTrail, Amazon VPC flow Logs, and AWS WAF.

The most cost-effective combination of steps to meet these requirements. A. Turn on VPC Flow Logs for all VPCs in the account. B. Activate Amazon GuardDuty across all AWS Regions. VPC Flow Logs provides detailed visibility into network traffic with your VPs. This is a cost effective way to monitor and log network activity, which is important for detecting suspicious behaviour. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behaviour. Activating across all AWS regions ensures comprehensive coverage and visibility into potential security threats.

B and D seems like the most straightforward and cost effective solution

GuardDuty analyzes VPC flow logs regardless of if you have turned them on or not

VPC Flow logs are very expensive.... Guardduty is the right tool to do that with eventbridge

A. Turn on VPC Flow Logs for all VPCs in the account: While VPC Flow Logs offer detailed information about network traffic, analyzing and storing logs for all VPCs across Regions can incur significant storage and processing costs. C. Activate Amazon Detective across all AWS Regions: Detective focuses on root cause analysis and investigation, which might be overkill for initial detection and notification. Additionally, its per-hour billing model can quickly become expensive for continuous monitoring across multiple Regions. E. Create an AWS Lambda function for publishing findings to SES: While Lambda offers flexibility, creating and maintaining a custom Lambda function specifically for publishing findings can add development and operational overhead compared to the readily available options with EventBridge and SNS.

AB options best suited. Self-explantory too.

AB are correcto

correct