AWS Certified Security – Specialty — Question 368
A security engineer needs to implement automation for AWS resources at scale. The goal is to block traffic to and from suspicious remote hosts by specifying IP addresses that are associated with known command and control servers for botnets. The security engineer is using AWS Step Functions to orchestrate the solution.
What should the security engineer do to meet these requirements?
Answer options
- A. Use Amazon GuardDuty to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS. Lambda functions to update the DynamoDB table and to update an AWS WAF web ACL rule to block the traffic.
- B. Use Amazon GuardDuty to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS Network Firewall rule group to block the traffic.
- C. Use Amazon Inspector to detect suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS WAF web ACL rule to block the traffic.
- D. Use Traffic Mirroring. Direct the mirrored traffic to an Amazon EC2 instance that has the Amazon Inspector agent configured to search for suspicious communication. Use an Amazon DynamoDB table to store IP addresses of suspected malicious hosts. Use AWS Lambda functions to update the DynamoDB table and to update an AWS Network Firewall rule group to block the traffic.
Correct answer: B
Explanation
The correct answer is B because it utilizes Amazon GuardDuty for detecting threats, which is appropriate for identifying suspicious communication. It also uses an Amazon DynamoDB table to store malicious IPs and updates a Network Firewall rule group, which is effective for blocking traffic at the network level. The other options either use incorrect services like Amazon Inspector (C) or AWS WAF (A) that do not align with the requirement of blocking traffic at scale, or they suggest less appropriate methods like Traffic Mirroring (D).