AWS Certified Solutions Architect – Associate (SAA-C02) — Question 757

A company's web application consists of multiple Amazon EC2 instances that run behind an Application Load Balancer in a VPC. An Amazon RDS for MySQL DB instance contains the data. The company needs the ability to automatically detect and respond to suspicious or unexpected behavior in its AWS environment. The company already has added AWS WAF to its architecture.
What should a solutions architect do next to protect against threats?

Answer options

• A. Use Amazon GuardDuty to perform threat detection. Configure Amazon EventBridge (Amazon CloudWatch Events) to filter for GuardDuty findings and to invoke an AWS Lambda function to adjust the AWS WAF rules.
• B. Use AWS Firewall Manager to perform threat detection. Configure Amazon EventBridge (Amazon CloudWatch Events) to filter for Firewall Manager findings and to invoke an AWS Lambda function to adjust the AWS WAF web ACL.
• C. Use Amazon Inspector to perform threat detection and to update the AWS WAF rules. Create a VPC network ACL to limit access to the web application.
• D. Use Amazon Macie to perform threat detection and to update the AWS WAF rules. Create a VPC network ACL to limit access to the web application.

Correct answer: A

Explanation

Amazon GuardDuty is designed for continuous monitoring and intelligent threat detection across AWS accounts, making it the ideal service to identify suspicious behavior. By combining GuardDuty with Amazon EventBridge and AWS Lambda, the system can dynamically update AWS WAF rules in real-time to block malicious actors. Other services like AWS Firewall Manager (for policy management), Amazon Inspector (for vulnerability scanning), and Amazon Macie (for sensitive data discovery) do not offer this type of automated threat response functionality.