Topic 1 Question 8

AWS Certified Security - Specialty

Topic 1 Question 8
A company has deployed Amazon GuardDuty and now wants to implement automation for potential threats. The company has decided to start with RDP brute force attacks that come from Amazon EC2 instances in the company's AWS environment. A security engineer needs to implement a solution that blocks the detected communication from a suspicious instance until investigation and potential remediation can occur. Which solution will meet these requirements?
- Configure GuardDuty to send the event to an Amazon Kinesis data stream. Process the event with an Amazon Kinesis Data Analytics for Apache Flink application that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS). Add rules to the network ACL to block traffic to and from the suspicious instance.
- Configure GuardDuty to send the event to Amazon EventBridge. Deploy an AWS WAF web ACL. Process the event with an AWS Lambda function that sends a notification to the company through Amazon Simple Notification Service (Amazon SNS) and adds a web ACL rule to block traffic to and from the suspicious instance.
- Enable AWS Security Hub to ingest GuardDuty findings and send the event to Amazon EventBridge. Deploy AWS Network Firewall. Process the event with an AWS Lambda function that adds a rule to a Network Firewall firewall policy to block traffic to and from the suspicious instance.
- Enable AWS Security Hub to ingest GuardDuty findings. Configure an Amazon Kinesis data stream as an event destination for Security Hub. Process the event with an AWS Lambda function that replaces the security group of the suspicious instance with a security group that does not allow any connections.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: C
  Let Guardduty detections be sent to Security Hub as findings is a simple and elegant way. https://docs.aws.amazon.com/guardduty/latest/ug/securityhub-integration.html
  
  Use eventbridge to respond by invoke Lambda. Amazon Kinesis data stream not needed. https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cloudwatch-events.html
  
  Suggest to only block specific port 389 against thse suspicious EC2 instance instead of isolate it in a security group, to minimize the impact while it has not been verified as a confirmed attack.
  
  👍 9
  Daniel762024/09/24
- 正解だと思う選択肢: C
  Here is some basics: WAF protects the port 443 / 80. RDP is different port and nothing to do with Layer 7 nor WAF
  
  👍 4
  mynickc2024/01/27
- 正解だと思う選択肢: C
  No A: Kenesis is for a stream of data. Guardduty will report (raise alarm) but no need of apache flink Not B: WAF is for a web application (80, 443), the attack will be initiated from a EC2 (internal company machine) it doesn't specify the target location local or extern, but it will be RDP Not D- SG will not block outbound traffic (stateful). SG will not be enough, the ec2 initiates the attack
  
  C is the simplest and more correct as FW will block any traffic from/to ec2
  
  👍 3
  Almo892024/09/24
シャッフルモード

ユーザの投票

コメント(17)