AWS Certified DevOps Engineer – Professional — Question 122

A company has a single AWS account where active development occurs. The company's security team has implemented Amazon GuardDuty, AWS Config, and AWS CloudTrail within the account. The security team wants to receive notifications in near real time for only high-severity findings from GuardDuty. The security team uses an Amazon Simple Notification Service (Amazon SNS) topic for notifications from other security tools in the account.

How can a DevOps engineer meet these requirements?

Answer options

• A. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects GuardDuty findings. Use an input transformer to detect high-severity event patterns. Configure the rule to publish a message to the SNS topic.
• B. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule that detects noncompliance with the guardduty-non-archived-findings AWS Config managed rule for high-severity GuardDuty findings. Configure the EventBridge (CloudWatch Events) rule to publish a message to the SNS topic.
• C. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardDuty ListFindings API calls with a high severity level. Configure the rule to publish a message to the SNS topic.
• D. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern that matches GuardOuty findings that have a high severity level within the event. Configure the rule to publish a message to the SNS topic.

Correct answer: D

Explanation

Answer D is correct because it specifically configures an EventBridge rule to match high-severity findings from GuardDuty, which directly meets the requirement for notifications. Answers A and C do not accurately specify the correct event source or the nature of the findings, while answer B incorrectly focuses on AWS Config noncompliance instead of directly on GuardDuty findings.