Exam AWS Certified Security - Specialty topic 1 question 134 discussion

For those who pointed out B as the answer: Do not think in terms of "can Guard Duty do it this way?" Instead, think: "should this be done?" Because if you ask the 1st q, answer is "yes, GD supports IP whitelisting" and you will be tempted to think B is the answer. If you ask the 2nd q, you will see that doing this will make it impossible to actually identify a real attack on this FTP server. The question warns you against this by saying "changes should not impact visibility of malicious attacks". This question is very typical type where the question designer first thinks of a feature (in this case auto-archiving from filters) and then tries to come up with a question to test that. It reeks of that (well intended but intrinsically flawed) approach

C. "When you create an Amazon GuardDuty filter, you choose specific filter criteria, name the filter and can enable the auto-archiving of findings that the filter matches. This allows you to further tune GuardDuty to your unique environment, without degrading the ability to identify threats. With auto-archive set, all findings are still generated by GuardDuty, so you have a complete and immutable history of all suspicious activity."

C Use suppression rule (auto archive) will prevent the finding to show up among the active findings, or populated to SH.

If you are receiving findings for expected behavior in your environment, you can automatically archive findings based on criteria you define with suppression rules. Suppression rules are rules which automatically send matched findings to archive. Answer C

To address the issue of the false positive findings being raised by Amazon GuardDuty, the Security Engineer can use GuardDuty filters with auto archiving enabled to close the findings. This will stop GuardDuty from raising the issue and improve the signal-to-noise ratio. To implement this solution, the Engineer will need to create a filter in GuardDuty that targets the FTP server and any related findings. The filter should be configured to automatically archive the findings when they are reported, so that they are no longer raised as an issue. This will prevent the false positive findings from being raised and improve the overall visibility of potential anomalous behavior.

I Believe C is the answer, many people here mentioned good reasons for it. you don't want to NOT get the alert at all, you just want to be able to view it later since you know its on by "default", you can put it in an archive and maybe create a rule to specify that if the connections per hour is lets say 150% of the last 48 hours, raise an alert

"The Engineer must verify that modifications do not impair the visibility of potentially unusual activity" --> This line changes the entire approach. Solution mentioned in B will hide any potential positive attack, That is why Answer should be C

C https://aws.amazon.com/about-aws/whats-new/2018/05/amazon-guardduty-adds-capability-to-automatically-archive-findings1/

I completely agree with ghostbusters comments. You don't want to eliminate the alerts only suppress them. This automatically sends the matched items to archive yet still generates the findings. Just doesn't generate a cloudwatch event... So C hands down is the answer.

B is the correct Answer:-Trusted IP lists consist of IP addresses that you have trusted for secure communication with your AWS infrastructure and applications. GuardDuty does not generate VPC Flow Log or CloudTrail findings for IP addresses on trusted IP lists. At any given time, you can have only one uploaded trusted IP list per AWS account per Region. Threat lists consist of known malicious IP addresses. GuardDuty generates findings based on threat lists. At any given time, you can have up to six uploaded threat lists per AWS account per Region.

C - Archiving findings could improve the signal-to-noise ratio, but still monitor anomalous behavior.

It can't be "B". Trusted IP list is a list of source IPs. We cannot add the FTP server's IP to that list, doesn't make sense. "C" is the answer.

answer is C.

Answer: C Can't be B If you add the server to a whitelist, then it invalidates this statement: "The Engineer needs to ensure that changes do not compromise the visibility of potential anomalous behavior" Need to make sure the FTP server is still being monitored for other malicious activity

I agree with B. With auto-archive rules, GuardDuty still generates all findings. Suppression rules provide suppression of findings while maintaining a complete and immutable history of all activity. GuardDuty does not generate findings based on trusted IP lists. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-ug.pdf

Answer: C Use a filter, filter on the specific event for that FTP server, then auto-archive Absolutely not B - if added as a trusted IP, what happens when an actual attack happens? No notifications.

C https://aws.amazon.com/about-aws/whats-new/2018/05/amazon-guardduty-adds-capability-to-automatically-archive-findings1/