AWS Certified Security – Specialty — Question 379

A company recently had a security audit in which the auditors identified multiple potential threats. These potential threats can cause usage pattern changes such as DNS access peak, abnormal instance traffic, abnormal network interface traffic, and unusual Amazon S3 API calls. The threats can come from different sources and can occur at any time. The company needs to implement a solution to continuously monitor its system and identify all these incoming threats in near-real time.

Which solution will meet these requirements?

Answer options

• A. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon CloudWatch Logs to manage these logs from a centralized account.
• B. Enable AWS CloudTrail logs, VPC flow logs, and DNS logs. Use Amazon Macie to monitor these logs from a centralized account.
• C. Enable Amazon GuardDuty from a centralized account. Use GuardDuty to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.
• D. Enable Amazon Inspector from a centralized account. Use Amazon Inspector to manage AWS CloudTrail logs, VPC flow logs, and DNS logs.

Correct answer: C

Explanation

Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior by analyzing AWS CloudTrail logs, VPC flow logs, and DNS logs. Amazon Macie is incorrect because it is used for discovering and protecting sensitive data in Amazon S3, while Amazon Inspector is designed for scanning EC2 instances and container images for software vulnerabilities. Amazon CloudWatch Logs can aggregate logs but does not natively provide built-in, intelligent threat detection for these specific patterns.