AWS Certified Security – Specialty (SCS-C02) — Question 267

A security engineer needs to implement a solution to determine whether a company’s Amazon EC2 instances are being used to mine cryptocurrency. The solution must provide notifications of cryptocurrency-related activity to an Amazon Simple Notification Service (Amazon SNS) topic.

Which solution will meet these requirements?

Answer options

• A. Create AWS Config custom rules by using Guard custom policy. Configure the AWS Config rules to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure AWS Config to initiate alerts to the SNS topic.
• B. Enable Amazon GuardDuty. Create an Amazon EventBridge rule to send alerts to the SNS topic when GuardDuty creates a finding that is associated with cryptocurrency-related activity.
• C. Enable Amazon Inspector. Create an Amazon EventBridge rule to send alerts to the SNS topic when Amazon Inspector creates a finding that is associated with cryRtocurrency-related activity.
• D. Enable VPC flow logs. Send the flow logs to an Amazon S3 bucket. Set up a query in Amazon Athena to detect when an EC2 instance queries a DNS domain name that is associated with cryptocurrency-related activity. Configure the Athena query to initiate alerts to the SNS topic.

Correct answer: B

Explanation

Amazon GuardDuty natively monitors VPC Flow Logs, DNS logs, and AWS CloudTrail management logs to detect cryptocurrency-related activities, such as an EC2 instance communicating with known mining pools. By integrating GuardDuty with Amazon EventBridge, you can automatically capture these specific findings and route them to an Amazon SNS topic for real-time alerting. Other services like Amazon Inspector focus on vulnerability scanning rather than active threat detection, and AWS Config or Athena queries are not designed for real-time threat intelligence matching of this nature.