AWS Certified Security – Specialty — Question 264

A company deployed Amazon GuardDuty in the us-east-1 Region. The company wants all DNS logs that relate to the company's Amazon EC2 instances to be inspected.
What should a security engineer do to ensure that the EC2 instances are logged?

Answer options

• A. Use IPv6 addresses that are configured for hostnames.
• B. Configure external DNS resolvers as internal resolvers that are visible only to AWS.
• C. Use AWS DNS resolvers for all EC2 instances.
• D. Configure a third-party DNS resolver with logging for all EC2 instances.

Correct answer: C

Explanation

Amazon GuardDuty can only inspect DNS query logs if the Amazon EC2 instances are configured to use the default AWS DNS resolvers (Route 53 Resolver). If instances use external or third-party DNS resolvers, GuardDuty cannot access or analyze the DNS query events. Therefore, ensuring all EC2 instances utilize AWS DNS resolvers is necessary for GuardDuty DNS monitoring to function.