ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 142 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 142
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company runs applications in AWS accounts that are in an organization in AWS Organizations. The applications use Amazon EC2 instances and Amazon S3.

The company wants to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future. When the company detects one of these events, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.

Which solution will meet these requirements in accordance with AWS best practices?

  • A. In the organization's management account, configure an AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company's existing AWS accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.
  • B. In the organization's management account, configure Amazon GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts. Create an AWS CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all AWS accounts in the organization.
  • C. In the organization's management account, create an AWS CloudTrail organization trail. Activate the organization trail in all AWS accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.
  • D. In the organization's management account, configure an AWS account as the AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company's existing AWS accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by romidan at Jan. 15, 2023, 6:49 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Stipy
11 months ago
"Create an AWS CloudFormation stack set that accepts the GuardDuty invitation" Really? Its A
upvoted 1 times
...
Dgix
1 year, 7 months ago
A. Correct. The admin account handles event for all accounts. B. Stack sets? Not necessary. C. Doesn't involve GuardDuty. D. SCPs can't enable Flow logs.
upvoted 2 times
...
bakamon
1 year, 11 months ago
Selected Answer: B
Option B is the best solution because it meets all of the requirements stated in the question and is in accordance with AWS best practices. It allows the company to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future using Amazon GuardDuty. It also provides a solution for automatically adding future AWS accounts to GuardDuty by configuring GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts. Option A is not the best solution because it does not provide a solution for automatically adding future AWS accounts to GuardDuty. It only involves configuring an AWS account as the GuardDuty administrator account and adding the company’s existing AWS accounts to GuardDuty as members.
upvoted 1 times
...
sriramr2
1 year, 11 months ago
has to be C "to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity"
upvoted 1 times
...
daheck
2 years, 1 month ago
Selected Answer: A
According ChatGPT, option A deals with both existing and future AWS accounts. The solution involves configuring an AWS account as the Amazon GuardDuty administrator account in the organization's management account, and adding existing AWS accounts to GuardDuty as members. For future AWS accounts, the solution leverages GuardDuty's ability to automatically add new accounts that are created within the organization by enabling "Add new accounts by invitation" feature. This ensures that any new AWS accounts that are created in the future will automatically be added to the GuardDuty member accounts list and monitored for suspicious activity.
upvoted 2 times
...
yurchell
2 years, 2 months ago
Selected Answer: B
repost: Cannot be A, it does not deal with future accounts at all
upvoted 4 times
...
dangal97
2 years, 2 months ago
Selected Answer: B
Option A is incorrect because while it correctly identifies Amazon GuardDuty as a solution to detect threats, it does not provide a way to deploy the necessary resources to all AWS accounts in the organization automatically.
upvoted 3 times
dangal97
2 years, 2 months ago
Sorry, I will go with A after having second look
upvoted 1 times
...
...
BelloMio
2 years, 2 months ago
Cannot be A, it does not deal with future accounts at all
upvoted 1 times
...
Subhasis_Pattnayak
2 years, 3 months ago
B is the answer
upvoted 1 times
...
Bulti
2 years, 3 months ago
Answer is A. You don't need to accept a GuardDuty invitation if the member GuardDuty accounts are within the same AWS Org.
upvoted 1 times
...
saeidp
2 years, 4 months ago
Selected Answer: A
I'll go with A https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
upvoted 2 times
...
Dimidrol
2 years, 4 months ago
Selected Answer: A
A sure
upvoted 1 times
...
romidan
2 years, 4 months ago
A seems correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago