Exam AWS Certified DevOps Engineer - Professional DOP-C02 topic 1 question 102 discussion

Dear Admin, Please Fix the Wrong response here! It´s A: This solution meets all the requirements: Detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity: Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior. It analyzes events from AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect such activities. Send a notification to the operational support team: Creating an Amazon EventBridge rule that matches GuardDuty findings and then forwarding these to an SNS topic allows for the generation of notifications whenever suspicious activity is detected. Cover future AWS accounts: By designating a GuardDuty administrator account in AWS Organizations, you can manage GuardDuty across all of your existing and future AWS accounts. This ensures that any new account created under the organization is automatically covered by GuardDuty.

B is the right answer

keywords: compromised EC2 instances, suspicious network activity, and unusual API activity = GuardDuty

When you use GuardDuty with an AWS organization, the management account of that organization can designate any account within the organization as the delegated GuardDuty administrator account. For this administrator account, GuardDuty gets enabled automatically only in the designated AWS Region. This account also has the permission to enable and manage GuardDuty for all of the accounts in the organization within that Region. The administrator account can view the members of and add members to this AWS organization. AWS GuardDuty can detect unusual API activity within existing AWS accounts in an AWS Organization. It monitors AWS CloudTrail event logs, which include records of all API calls made within your AWS environment. GuardDuty analyzes these logs to identify unusual or suspicious API activity that might indicate a potential security threat.

A looks like a better choice. When you use GuardDuty with an AWS organization, the management account of that organization can designate any account within the organization as the delegated GuardDuty administrator account. For this administrator account, GuardDuty gets enabled automatically only in the designated AWS Region. This account also has the permission to enable and manage GuardDuty for all of the accounts in the organization within that Region. The administrator account can view the members of and add members to this AWS organization.

answer A

If GuardDuty is indeed set up at the organization level (which is supported and encouraged by AWS for simplicity and coverage), then Option A becomes a very strong choice. It provides centralized management and automatic, seamless inclusion of all organization accounts in security monitoring without requiring manual intervention for each new account.

Definitely B

A is correct: <detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity> means AWS GuardDuty B: dont have to invite other accounts because all accounts are in an org in AWS org. C and D: no mention of GuardDuty

invitation is used to handle users OUTSIDE the organization.

Go For A. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html

Member accounts must accept invite from the designated guard duty account before its effect. I use AWS organisation at work and quite familiar with the workings. I lean towards B

It true it's missing auto enabled on. but Invitation is organization is not needed as Organization get precedence with account management when you have deligated Guardduty account. "If you have already set up a GuardDuty administrator account with associated member accounts by invitation and the member accounts are part of the same organization, their Type changes from By Invitation to Via Organizations" https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html

B is the correct answer. A could better if not for the fact that it doesn't handle automatic enablement on new AWS account. B handles this case with CloudFormation stacksets : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-master.html

B is wrong. Newly created AWS accounts = you don't need to do this if the GD Orgz is configured properly, you can accept from delegated admin account. The point remains, you can add the accounts using option A. The misdirect here is that A does not state anything about new accounts vs B which does. Bearing in mind A + B still have to do something in GD, A is actually the better option. A is right.

Option A is not the best choice because although it correctly configures GuardDuty as the administrator, it does not handle the automatic addition of new AWS accounts to GuardDuty and the forwarding of events to the SNS topic

Option B is the most suitable solution as it combines GuardDuty, AWS CloudFormation StackSets, and Amazon EventBridge to automatically monitor all existing and future AWS accounts and send notifications to the specified SNS topic when security events are detected.