AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 385

A company manages a multi-tenant environment in its VPC and has configured Amazon GuardDuty for the corresponding AWS account. The company sends all GuardDuty findings to AWS Security Hub.

Traffic from suspicious sources is generating a large number of findings. A DevOps engineer needs to implement a solution to automatically deny traffic across the entire VPC when GuardDuty discovers a new suspicious source.

Which solution will meet these requirements?

Answer options

• A. Create a GuardDuty threat list. Configure GuardDuty to reference the list. Create an AWS Lambda function that will update the threat list. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
• B. Configure an AWS WAF web ACL that includes a custom rule group. Create an AWS Lambda function that will create a block rule in the custom rule group. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
• C. Configure a firewall in AWS Network Firewall. Create an AWS Lambda function that will create a Drop action rule in the firewall policy. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.
• D. Create an AWS Lambda function that will create a GuardDuty suppression rule. Configure the Lambda function to run in response to new Security Hub findings that come from GuardDuty.

Correct answer: C

Explanation

AWS Network Firewall operates at the VPC level, allowing it to block traffic across the entire VPC by dynamically adding Drop rules via a Lambda function triggered by Security Hub. AWS WAF is limited to specific resources like Application Load Balancers and Amazon CloudFront, which does not cover the entire VPC. GuardDuty threat lists and suppression rules only alter finding generation and visibility, and do not possess the capability to actively block network traffic.