AWS Certified Security – Specialty (SCS-C02) — Question 51

A company has enabled Amazon GuardDuty in all AWS Regions as part of its security monitoring strategy. In one of its VPCs, the company hosts an Amazon EC2 instance that works as an FTP server. A high number of clients from multiple locations contact the FTP server. GuardDuty identifies this activity as a brute force attack because of the high number of connections that happen every hour.
The company has flagged the finding as a false positive, but GuardDuty continues to raise the issue. A security engineer must improve the signal-to-noise ratio without compromising the company's visibility of potential anomalous behavior.
Which solution will meet these requirements?

Answer options

• A. Disable the FTP rule in GuardDuty in the Region where the FTP server is deployed.
• B. Add the FTP server to a trusted IP list. Deploy the list to GuardDuty to stop receiving the notifications.
• C. Create a suppression rule in GuardDuty to filter findings by automatically archiving new findings that match the specified criteria.
• D. Create an AWS Lambda function that has the appropriate permissions to delete the finding whenever a new occurrence is reported.

Correct answer: C

Explanation

The correct answer is C because creating a suppression rule in GuardDuty allows the company to filter out specific findings that match certain criteria, thus reducing noise while retaining the ability to detect genuine threats. Option A would eliminate monitoring for the FTP rule entirely, potentially allowing real threats to go undetected. Option B may reduce notifications but does not effectively manage the false positives. Option D, while it could delete findings, does not address the root cause of the false positives, which is best handled by suppression rules.