Exam AWS Certified Security - Specialty topic 1 question 210 discussion

B - GuardDuty finding: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled This finding informs you that a CloudTrail trail within your AWS environment was disabled. This can be an attacker's attempt to disable logging to cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. This finding can be triggered by a successful deletion or update of a trail. This finding can also be triggered by a successful deletion of an S3 bucket that stores the logs from a trail that is associated with GuardDuty.

GuardDuty ingest CloudTrail events. Deleting or updating a trail, or even S3 bucket that contains the trail logs would raise a finding in GuardDuty. Set CloudWatch Events (EventBridge) on this finding and use SNS for alerting.

When it comes to AWS CloudTrail, GuardDuty can detect certain activities related to CloudTrail, including: Disabled CloudTrail: GuardDuty can raise an alert when it detects the disabling or deletion of AWS CloudTrail, as this action is considered a security risk. Unauthorized Access to CloudTrail Logs: GuardDuty can detect when an unauthorized entity attempts to access or modify CloudTrail logs. Suspicious API Calls: GuardDuty can identify abnormal API calls related to CloudTrail, such as unusual changes to the configuration or settings. By monitoring AWS CloudTrail logs and events, GuardDuty can help identify potential security threats and alert the appropriate stakeholders.

The security engineer should recommend option A: Use AWS Resource Access Manager (AWS RAM) to monitor the AWS CloudTrail configuration. Send notifications using Amazon SNS. AWS Resource Access Manager (AWS RAM) allows you to share resources across AWS accounts. In this case, the security engineer can use AWS RAM to share the AWS CloudTrail configuration resource with a central security account. By doing so, the security team can monitor the CloudTrail configuration from the central security account and detect any changes.

A AWS RAM is a service that enables you to easily and securely share AWS resources across AWS accounts and within your organization. With AWS RAM, you can share AWS CloudTrail configuration details to other AWS accounts. By monitoring the AWS CloudTrail configuration, changes can be detected and notifications can be sent via Amazon SNS

why not A? the link they provide looks lie it answers the questions

agreed B

B only valid option

Cloud Watch event can be used to trigger an SNS notification. Guardduty can help detecting the issue

B is my answer.!

B for me as well

B. GD detects CT disabled.

any other comments friends ?

B. GuardDuty will detect suspicious behavior, such as disabling CloudTrail. Use SNS to report on this behavior.