AWS Certified Security – Specialty — Question 275

A company uses Amazon GuardDuty to detect threats and malicious activities in AWS accounts. The company has subscribed to a third-party threat intelligence list uploaded to an Amazon S3 bucket.
How should the security engineer efficiently use the threat list across all company AWS accounts?

Answer options

• A. Ensure the S3 bucket policy allows all company AWS accounts access to the threat list. Use an AWS Lambda function to automatically add the threat list to all company AWS accounts.
• B. Ensure GuardDuty is in master-member configuration. Add the threat list to the master account referencing the S3 object that contains the threat list.
• C. Ensure all accounts are part of the same organization in AWS Organizations. Add the threat list to any company account within AWS Organizations.
• D. Ensure the threat list in the S3 bucket is publicly accessible. Use an Amazon CloudWatch Events event on GuardDuty findings to match IPs against the threat list.

Correct answer: B

Explanation

In Amazon GuardDuty, configuring a master-member (administrator-member) structure allows the master account to upload and manage threat lists, which are then automatically applied to and inherited by all associated member accounts. This centralized management eliminates the need to configure lists individually in each member account or write custom automation like AWS Lambda functions. Other options are incorrect because they either introduce unnecessary administrative overhead or compromise security by making sensitive threat intelligence data publicly accessible.