AWS Certified Security – Specialty (SCS-C02) — Question 63

A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization's delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts.
The company is performing control tests on specific GuardDuty findings to make sure that the company's security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account.
Why was the finding was not created in the Security Hub delegated administrator account?

Answer options

• A. VPC flow logs were not turned on for the VPC where the EC2 instance was launched.
• B. The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver.
• C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
• D. Cross-Region aggregation in Security Hub was not configured.

Correct answer: B

Explanation

The finding was not created because the VPC where the EC2 instance was launched was configured with a custom OpenDNS resolver, which prevented GuardDuty from detecting the DNS findings. Option A is incorrect as VPC flow logs are not necessary for DNS finding generation. Option C is incorrect because the integration between GuardDuty and Security Hub was already set, and option D is irrelevant since the operation was conducted within a single region.