A company is using AWS Organizations to manage multiple AWS member accounts. All of these…

Question

A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AWS Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill. A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency. The Security Operations
Center did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure all GuardDuty findings are available in the security account.
What should the security engineer do to resolve this issue?

Accepted Answer

Correct answer: D. D. Use the aws guardduty get-members AWS CLI command in the security account to see if the account is listed. Send an invitation from GuardDuty in the security account to GuardDuty in the compromised account. Accept the invitation to forward all future GuardDuty findings. — The correct answer is D because it involves using the AWS CLI to check if the compromised account is a member and sending an invitation to link it to the security account, which allows for forwarding future findings. Option A and B do not address the fundamental issue of member account integration for GuardDuty findings. Option C incorrectly suggests checking permissions instead of establishing the necessary relationship between the accounts.

AWS Certified Security – Specialty — Question 192

Answer options

Correct answer: D

Explanation