exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 31 discussion

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.
Why was the finding was not created in the Security Hub delegated administrator account?

  • A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
  • B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
  • C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
  • D. Cross-Region aggregation in Security Hub was not configured.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
[Removed]
Highly Voted 1 year ago
Selected Answer: B
Guardduty cannot detect DNS requests if a custom resolver is setup See below: https://repost.aws/knowledge-center/guardduty-finding-types#:~:text=Note%3A%20GuardDuty%20only%20processes%20DNS%20logs%20if%20you%20use%20the%20default%20VPC%20DNS%20resolver.%20All%20other%20types%20of%20DNS%20resolvers%20won%27t%20generated%20DNS%20based%20findings.
upvoted 7 times
Daniel76
1 year ago
"GuardDuty only processes DNS logs if you use the default VPC DNS resolver. All other types of DNS resolvers won't generated DNS based findings."
upvoted 6 times
...
...
IPLogic
Most Recent 1 day, 18 hours ago
Selected Answer: B
The most likely reason why the GuardDuty finding was not created in the Security Hub delegated administrator account is option B: The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver. When the VPC is configured with a custom DNS resolver, GuardDuty might not be able to detect DNS requests made by the EC2 instance, which would prevent the finding from being generated
upvoted 1 times
...
Davidng88
2 months, 3 weeks ago
Selected Answer: B
AWS GuardDuty only detects DNS queries to Amazon provided DNS resolver only. VPC flow not required for GuardDuty DNS, there will be no GuardDuty finding if GuardDuty not integrated with Security Hub, and only reside in one Region.
upvoted 1 times
...
Sodev
8 months ago
Why not A. Backdoor:EC2/DenialOfService.Dns finding , evaluate VPC Flow logs, it it disable nothing to do lol
upvoted 1 times
...
hro
8 months, 2 weeks ago
C... GuardDuty can access and process your request and response DNS logs through the internal ... Im going with C - it more likely that someone in the security team didnt activate Security Hub for the delegated admin account than any other of the answers.
upvoted 1 times
...
hro
8 months, 3 weeks ago
C - Im going with this answer. GuardDuty can access and process DNS logs through AWS DNS resolvers, such as Amazon Route 53, if the EC2 instances use them
upvoted 1 times
...
arvehisa
9 months ago
I don't understand why guardduty should generate a finding against a test dns query.
upvoted 1 times
...
mynickc
10 months, 3 weeks ago
Selected Answer: B
B is correct. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-internal-providers.html#integration-amazon-guardduty
upvoted 1 times
...
CloudRover
11 months ago
Selected Answer: B
"GuardDuty only processes DNS logs if you use the default VPC DNS resolver. All other types of DNS resolvers won't generated DNS based findings." As Daniel76 pointed out, this is the correct answer.
upvoted 3 times
...
trashbox
11 months, 3 weeks ago
Exam on 2023-12-18
upvoted 1 times
...
Raphaello
11 months, 3 weeks ago
Selected Answer: D
Going with D. https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation-enable.html#finding-aggregation-enable-console
upvoted 1 times
Raphaello
9 months, 2 weeks ago
Correction: correct answer is B. Missed that in the scenario the company operates from a single region, additionally, without using Route53 resolver and DNS query logs, GuardDuty would not be able to produce DNS findings.
upvoted 1 times
...
KaiW
11 months, 1 week ago
but didn't the question said that the company operates out of a single region?
upvoted 1 times
...
...
kejam
1 year ago
Selected Answer: D
Choosing D through a process of elimination. A. VPC flow logs are not required to be turned on. https://aws.amazon.com/guardduty/faqs/ B. Custom DNS resolver? GuardDuty should have picked that up from the VPC flow logs: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver C. GuardDuty and Security Hub integration is enabled automatically: https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html#securityhub-integration-enable D. Cross-Region aggregation. Regions weren't mentioned in the question, but it is the only possible answer left. https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html
upvoted 1 times
kejam
1 year ago
Just noticed "The company operates out of a single AWS Region." So changing my answer to none of the above ;-)
upvoted 1 times
...
...
bannium
1 year, 1 month ago
Selected Answer: B
> Note: GuardDuty only processes DNS logs if you use the default VPC DNS resolver. All other types of DNS resolvers won't generated DNS based findings. https://repost.aws/knowledge-center/guardduty-finding-types
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...