ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 105 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 105
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has Windows Amazon EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services. The security team has enabled Amazon GuardDuty on the AWS account to alert on issues with the instances.
During a weekly audit of network traffic, the Security Engineer notices that one of the EC2 instances is attempting to communicate with a known command-and- control server but failing. This alert does not show up in GuardDuty.
Why did GuardDuty fail to alert to this behavior?

  • A. GuardDuty did not have the appropriate alerts activated.
  • B. GuardDuty does not see these DNS requests.
  • C. GuardDuty only monitors active network traffic flow for command-and-control activity.
  • D. GuardDuty does not report on command-and-control activity.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by duduga40 at Sept. 7, 2019, 6:53 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
examacc
Highly Voted 3 years, 8 months ago
Answer is B: As per AWS DNS logs If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.
upvoted 50 times
John129087
3 years, 7 months ago
B definitely. DNS logs do not work for 3rd party DNS resolver including Active Directory Servers. Think about why they had to mention Windows and AD
upvoted 2 times
...
Gustava6272
3 years, 7 months ago
It is C not B . See Guardduty FAQ "Amazon GuardDuty does not manage or retain your logs. All data consumed by GuardDuty is analyzed in near real-time and discarded" . Also there is not 3rd party DNS mentioned here Ref: https://www.amazonaws.cn/en/guardduty/faqs/
upvoted 6 times
f4bi4n
3 years, 5 months ago
Its B, as the IP check for C&C uses VPC Flow logs and even a blocked entry would be included there. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb
upvoted 1 times
...
...
...
josellama2000
Highly Voted 3 years, 8 months ago
A is incorrect. It could be correct if traffic to the malicious IP happened, but this is not the case. You can set severity values for alerts. C is correct. GuardDuty monitor DNS traffic for data exfiltration, not for regualr resolves. Since the communication with the malicious server failed, no connections were made to the malicious IP for GuardDuty to detect. B is incorrect, same reason as on C D is incorrect. GuardDuty supose to detect traffic to malicious IPs
upvoted 9 times
DahMac
3 years, 7 months ago
C. GuardDuty only monitors active network traffic flow for command-and-control activity. Nothing else? no attacks? Don't think so. "GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With a few clicks in the AWS Management Console, GuardDuty can be enabled with no software or hardware to deploy or maintain."
upvoted 1 times
...
exams
3 years, 8 months ago
it is B or C? or the options shuffled B. GuardDuty does not see these DNS requests. C. GuardDuty only monitors active network traffic flow for command-and-control activity.
upvoted 2 times
EricJason
3 years, 8 months ago
B Guard duty do monitor the C&C activity: Backdoor:EC2/C&CActivity.B!DNS Default severity: High Finding description EC2 instance is querying a domain name that is associated with a known command and control server. The reason it can’t see is it’s using on premise AD dns which guardduty is not able to scan.
upvoted 12 times
...
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
Correct answer is B. Windows instances joined AD, and therefore use its DNS instead of Route53 resolver, while GuardDuty relies on DNS query logs to detect such flow. Backdoor:EC2/C&CActivity.B!DNS An EC2 instance is querying a domain name that is associated with a known command and control server Default severity: High Data source: DNS logs <<<<<<<<
upvoted 1 times
...
OCHT
2 years ago
Selected Answer: B
option C. "GuardDuty only monitors active network traffic flow for command-and-control activity" could be misleading because GuardDuty can also analyze other types of traffic and activities, such as CloudTrail logs and S3 data events, not just active network traffic flow.
upvoted 1 times
...
vavofa5697
2 years, 1 month ago
Selected Answer: B
it is B
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
DNS logs If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.
upvoted 1 times
...
tezawynn
3 years, 3 months ago
It has to be Route53 DNS for GuardDuty to see DNS. Other DNS resolvers wont work.
upvoted 2 times
...
mx677
3 years, 3 months ago
Selected Answer: B
if DNS resolvers are not using Route 53 so GuardDuty cannot detect malicious communication to C2C
upvoted 1 times
...
alghoundar
3 years, 4 months ago
B is correct when using active directory the DNS resolution is done by the domain controller and guardduty only works with R53 only for dns resolution.
upvoted 4 times
...
Radhaghosh
3 years, 4 months ago
B. GuardDuty does not see these DNS requests.
upvoted 1 times
...
Elva
3 years, 7 months ago
Ans: B . Look at question -> GuardDuty does not see THESE DNS requests. (these dns point to special case with these dns request.) Also quote: "EC2 instances in a VPC that are joined to on-premises Active Directory servers for domain services". Does this mean that is uses DNS from this domain server (and not AWS DNS). So B for me.
upvoted 1 times
...
Ponzy
3 years, 7 months ago
Answer is CCCCCCCC A general search explains the following: What can GuardDuty detect? The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. Surely, those who vote for B need to consider facts of GuardDuty in relation to DNS logs. the statement in B is a naked lie.
upvoted 1 times
...
johnsm
3 years, 7 months ago
The question is poorly written. I agree the right answer is A but mainly because the rest of the answers can be ruled out. However GuardDuty detects C&C activity not only by inspecting DNS resolution, but also by having a look at VPC Flow logs. That means that even if you are not able inspect the DNS because you are using a third party one, GuardDuty will see the ip address of the C&C server and will be able to alert on that.
upvoted 1 times
...
devjava
3 years, 7 months ago
Ans > B https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_dns
upvoted 4 times
...
AfricanCloudGuru
3 years, 7 months ago
Ans(C) AWS Guard Duty only monitors active network
upvoted 1 times
...
Mr_Zaw
3 years, 7 months ago
B https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_data-sources.html#guardduty_dns If you use AWS DNS resolvers for your EC2 instances (the default setting), then GuardDuty can access and process your request and response DNS logs through the internal AWS DNS resolvers. If you are using a 3rd party DNS resolver, for example, OpenDNS or GoogleDNS, or if you set up your own DNS resolvers, then GuardDuty cannot access and process data from this data source.
upvoted 1 times
...
sunilrch
3 years, 7 months ago
B should be the right answer, Guard duty can't see the dns requests from 3rd party domain services.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel