AWS Certified Security – Specialty — Question 47

An organization wants to be alerted when an unauthorized Amazon EC2 instance in its VPC performs a network port scan against other instances in the VPC.
When the Security team performs its own internal tests in a separate account by using pre-approved third-party scanners from the AWS Marketplace, the Security team also then receives multiple Amazon GuardDuty events from Amazon CloudWatch alerting on its test activities.
How can the Security team suppress alerts about authorized security tests while still receiving alerts about the unauthorized activity?

Answer options

• A. Use a filter in AWS CloudTrail to exclude the IP addresses of the Security team's EC2 instances.
• B. Add the Elastic IP addresses of the Security team's EC2 instances to a trusted IP list in Amazon GuardDuty.
• C. Install the Amazon Inspector agent on the EC2 instances that the Security team uses.
• D. Grant the Security team's EC2 instances a role with permissions to call Amazon GuardDuty API operations.

Correct answer: B

Explanation

The correct answer is B because adding the Elastic IP addresses to a trusted IP list in Amazon GuardDuty allows the service to recognize the scans from authorized EC2 instances as legitimate and not trigger alerts. Option A is incorrect as filtering in AWS CloudTrail does not directly influence GuardDuty's alerting mechanism. Option C does not prevent GuardDuty alerts and is focused on vulnerability assessments. Option D does not address the issue of suppressing alerts for authorized activities.