AWS Certified Security – Specialty — Question 449

A company wants to deploy a continuous security threat-detection service at scale to automatically analyze all the company’s member accounts in AWS Organizations within the ap-east-1 Region. The company’s organization includes a management account, a security account, and many member accounts. When the company creates a new member account, the threat-detection service should automatically analyze the new account so that the company can review any findings from the security account.

Which solution uses AWS security best practices and meets these requirements with the LEAST effort?

Answer options

• A. Activate Amazon GuardDuty in ap-east-1. Designate the security account as the GuardDuty delegated administrator by using the console.
• B. Activate Amazon GuardDuty in ap-east-1 with trusted access to AWS Organizations. Designate the management account as the GuardDuty organization administrator.
• C. Activate AWS Security Hub in ap-east-1. Designate the management account as the Security Hub delegated administrator by using the console.
• D. Activate AWS Control Tower in ap-east-1 with trusted access to AWS Organizations. Designate the security account as the organization administrator.

Correct answer: A

Explanation

Amazon GuardDuty is the primary threat-detection service in AWS, and delegating its administration to a dedicated security account aligns with the AWS security best practice of least privilege by avoiding daily operations in the management account. Once designated as the delegated administrator, the security account can configure GuardDuty to automatically enable the service for all existing and future member accounts within the organization. Options B and C are incorrect because they improperly use the management account for administration, while Option D refers to AWS Control Tower, which is a landing zone governance tool rather than a threat-detection service.