exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 8 discussion

A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur.
Which solution will meet these requirements?

  • A. Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.
  • B. Configure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.
  • C. Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.
  • D. Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Daniel76
Highly Voted 2 months, 1 week ago
Selected Answer: C
Let Guardduty detections be sent to Security Hub as findings is a simple and elegant way. https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html Use eventbridge to respond by invoke Lambda. Amazon Kinesis data stream not needed. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html Suggest to only block specific port 389 against thse suspicious EC2 instance instead of isolate it in a security group, to minimize the impact while it has not been verified as a confirmed attack.
upvoted 9 times
...
Almo89
Most Recent 2 months, 1 week ago
Selected Answer: C
No A: Kenesis is for a stream of data. Guardduty will report (raise alarm) but no need of apache flink Not B: WAF is for a web application (80, 443), the attack will be initiated from a EC2 (internal company machine) it doesn't specify the target location local or extern, but it will be RDP Not D- SG will not block outbound traffic (stateful). SG will not be enough, the ec2 initiates the attack C is the simplest and more correct as FW will block any traffic from/to ec2
upvoted 1 times
...
DLG_85
5 months, 1 week ago
Option B. We have to consider that Security team has to be noticed. There is nothing about that on the other answers.
upvoted 1 times
sabmel
3 months ago
its not required as per question, so not B.
upvoted 1 times
...
...
cumzle_com
5 months, 3 weeks ago
Selected Answer: D
While Option C is technically feasible and provides robust network-level protection using AWS Network Firewall, it is more complex and might be an overkill for the specific task of quickly isolating individual EC2 instances. Option D offers a more direct and simpler approach by replacing the security group of the suspicious instance, which is generally easier to manage and quicker to implement in the context of isolating instances based on GuardDuty findings. Therefore, while Option C can meet the requirements, Option D is more appropriate and efficient for the specific task of blocking communication from suspicious instances quickly and effectively.
upvoted 1 times
sabmel
3 months ago
In option D, all the connections will be blocked due to change in SG, not required so not D.
upvoted 1 times
...
...
Raphaello
9 months, 4 weeks ago
Selected Answer: C
1. No point to use Kinesis Data Stream/analytics/Apache flink to stream and process event. 2. Neither WAF nor NACL is an effective solution to the mentioned case 3. GuardDuty findings can be sent directly to Amazon EventBridge to trigger action, but deploying SecurityHub is not entirely wrong. 4. AWS Network Firewall is better suited to block suspicious instances. Option C is the correct answer.
upvoted 1 times
...
awssecuritynewbie
10 months, 1 week ago
Selected Answer: C
I would go with C, as option D will block any connection to the Ec2 machine, which is not what you want, and security groups are easier and at the endpoint level.
upvoted 1 times
...
mynickc
10 months, 1 week ago
Selected Answer: C
Here is some basics: WAF protects the port 443 / 80. RDP is different port and nothing to do with Layer 7 nor WAF
upvoted 2 times
...
happy34
11 months ago
D is the answer. we need identify the best method - tech and cost. implied. WAF is layer 7 prevention . FW is layer 3 - 7. WEB ACL can prevent layer 7. RDP is mostly Layer 7. password guessing etc https://repost.aws/knowledge-center/waf-prevent-brute-force-attacks
upvoted 1 times
shuaaaa
7 months ago
RDP is L3 (IP) + L4 (Port 3389). it is NOT L7.
upvoted 2 times
...
...
brpjp
11 months, 1 week ago
Hello, correct my understanding agree with answer C.
upvoted 1 times
...
brpjp
11 months, 1 week ago
When GuardDuty is there, do not understand what is requirement to integrate Security Hub.
upvoted 1 times
...
brpjp
11 months, 1 week ago
Answer B correct. Requested first scenario of RDP brute force attack. Neither NACL, Network Firewall, and Security Group support to block, only WAF help to block traffic based on pattern.
upvoted 2 times
cumzle_com
5 months, 3 weeks ago
WAf only for http traffic :)
upvoted 1 times
...
...
3633f8f
11 months, 3 weeks ago
Selected Answer: C
C is the answer
upvoted 1 times
...
3633f8f
11 months, 3 weeks ago
Selected Answer: D
To isolate there is nothing more powerful that an ACL at subnet level, which immediately denies traffic in any direction. Wishing to automate, there is no choice to use ACL, as you do not know the exact IP of the source is attacking, thus, you do apply security group restiction. The need of Kinesys Data Streams is to process real-time events while happening. A firewall you do not usually automate at his has complex features needs to be set via IaC or console.
upvoted 2 times
3633f8f
11 months, 3 weeks ago
Correcting as RDP handles directly in layer 3. C
upvoted 1 times
...
...
Raphaello
11 months, 3 weeks ago
Selected Answer: C
C SecurityGroup is a simpler way of isolating a suspicious instance, unlike Network Firewall that is a paid service. EventBridge is needed to relay events to Kinesis Data Stream. At that point, what is the need to Kinesis Data Stream? Lambda function could be invoked directly from EventBridge. For that, I'd go with C.
upvoted 2 times
...
Raphaello
11 months, 3 weeks ago
C SecurityGroup is a simpler way of isolating a suspicious instance, unlike Network Firewall that is a paid service. EventBridge is needed to relay events to Kinesis Data Stream. At that point, what is the need to Kinesis Data Stream? Lambda function could be invoked directly from EventBridge. For that, I'd go with C.
upvoted 1 times
...
WeepingMaplte
11 months, 3 weeks ago
AWS Network Firewall is a better option unless the question wants the most cost-effective method.
upvoted 1 times
...
Aamee
1 year ago
Selected Answer: C
Would go with C since it has asked specifically for automating the security findings... and that's where Security Hub comes into play with EventBridge combination..
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...