ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified DevOps Engineer - Professional DOP-C02 All Questions

View all questions & answers for the AWS Certified DevOps Engineer - Professional DOP-C02 exam
Go to Exam

Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 161 discussion

Exam question from Amazon's AWS Certified DevOps Engineer - Professional DOP-C02
Question #: 161
Topic #: 1
[All AWS Certified DevOps Engineer - Professional DOP-C02 Questions]

A company hired a penetration tester to simulate an internal security breach. The tester performed port scans on the company's Amazon EC2 instances. The company's security measures did not detect the port scans.

The company needs a solution that automatically provides notification when port scans are performed on EC2 instances. The company creates and subscribes to an Amazon Simple Notification Service (Amazon SNS) topic.

What should the company do next to meet the requirement?

  • A. Ensure that Amazon GuardDuty is enabled. Create an Amazon CloudWatch alarm for detected EC2 and port scan findings. Connect the alarm to the SNS topic.
  • B. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event for detected network reachability findings that indicate port scans. Connect the event to the SNS topic.
  • C. Ensure that Amazon Inspector is enabled. Create an Amazon EventBridge event for detected CVEs that cause open port vulnerabilities. Connect the event to the SNS topic.
  • D. Ensure that AWS CloudTrail is enabled. Create an AWS Lambda function to analyze the CloudTrail logs for unusual amounts of traffic from an IP address range. Connect the Lambda function to the SNS topic.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by csG13 at Dec. 29, 2023, 4:32 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
YucelFuat
8 months, 1 week ago
Selected Answer: A
- GuardDuty is focused on real-time threat detection and alerting, while Inspector is focused on vulnerability scanning and remediation. - GuardDuty operates continuously in the background, whereas Inspector is typically run on-demand or scheduled for specific workloads.
upvoted 2 times
...
flaacko
8 months, 3 weeks ago
The Answer is A. C is wrong because while you can use Inspector to detect open ports and software vulnerabilities, you can't use it to detect port scanning.
upvoted 1 times
...
Gomer
10 months, 2 weeks ago
Selected Answer: A
Per ChatGPT "AWS offers several services and features that can help detect port scans:" "GuardDuty" (using VPC Flow Logs), "WAF", and "Network Firewall" Was able to also provide references https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/
upvoted 2 times
...
that1guy
1 year ago
Bad question. Although you can do it via GuardDuty, the answer doesn't mention the required VPC flow logs. There is no mention online of how to create a CloudWatch ALARM for GuardDuty only CloudWatch events.
upvoted 1 times
...
dkp
1 year, 1 month ago
Selected Answer: A
answer a is correct
upvoted 2 times
...
thanhnv142
1 year, 3 months ago
Selected Answer: A
A is correct: To detect port scans in real time, we need Guarduty, not inspector B, C and D: no mention of Guarduty
upvoted 4 times
...
a54b16f
1 year, 4 months ago
Selected Answer: A
only GuardDuty would detect port scanning activities
upvoted 4 times
...
davdan99
1 year, 4 months ago
Selected Answer: A
https://medium.com/aws-architech/use-case-aws-inspector-vs-guardduty-3662bf80767a
upvoted 2 times
...
kabary
1 year, 4 months ago
Selected Answer: A
GuardDuty should be the answer as it best detects whether a port scan has happened on an EC2 instances; we don't care about whether the port is open or not, we care if it was scanned.
upvoted 2 times
...
d262e67
1 year, 4 months ago
Selected Answer: A
Inspector is designed to find vulnerabilities across EC2 servers and detect open ports. It doesn't detect port scans against EC2 servers. The reachability analyzer mentioned below is the port scanner itself. I doesn't detect other port scanners. https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/ GuardDuty on the other hand draws upon traffic logs to find specious activities such as port scans in a form of a finding.
upvoted 4 times
...
csG13
1 year, 4 months ago
Selected Answer: B
It's B - here is a reference for the network reachability package: https://aws.amazon.com/blogs/security/amazon-inspector-assess-network-exposure-ec2-instances-aws-network-reachability-assessments/
upvoted 1 times
kabary
1 year, 4 months ago
AWS inspector doesn't detect whether a PenTester performed a port scan against an EC2. It only detects open port vulnerabilities. You need a system that detects a threat which is by definition GuardDuty
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago