AWS Certified Security – Specialty — Question 399

A security engineer needs to implement an intrusion detection system (IDS) for a shipping company. The findings from the system must generate alerts that can be sent to an email distribution group that the company’s operations team uses. The security engineer must maximize the coverage that the IDS provides.

Which combination of steps should the security engineer take to meet these requirements? (Choose two.)

Answer options

• A. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCs. Specify for the flow logs to capture all traffic.
• B. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCS. Specify for the flow logs to capture accepted traffic.
• C. Configure Amazon GuardDuty. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic
• D. Configure AWS Security Hub. Create an Amazon EventBridge (Amazon CloudWatch Events) rue to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic.
• E. Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Configure an AWS Lambda function to analyze VPC flow logs and to inspect all flow log traffic that matches the ACCEPT filter type.

Correct answer: A, C

Explanation

To maximize coverage for Amazon GuardDuty (which acts as the AWS native IDS), it requires access to AWS CloudTrail logs (including S3 data events) and VPC flow logs capturing all traffic (both accepted and rejected), which makes Option A correct. To deliver the alerts to the operations team, configuring Amazon GuardDuty to send findings via Amazon EventBridge to an Amazon SNS topic subscribed to the team's email distribution group is the standard, scalable approach, making Option C correct.