AWS Certified DevOps Engineer – Professional — Question 164

A company has a VPC that consists of a public subnet and a private subnet. The company has an application that runs on Amazon EC2 instances that are in the private subnet. An Application Load Balancer is in the public subnet and distributes traffic to the EC2 instances.

The company has enabled Amazon GuardDuty for the account. The company’s DevOps team has a list of external IP ranges that is updated each day. The list is stored in an Amazon S3 bucket in the account. A DevOps engineer needs to configure GuardDuty to create a GuardDuty finding when traffic to the application originates from an IP range in the external IP range list.

Which solution will meet these requirements?

Answer options

• A. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the publicIp filter attribute.
• B. Configure a threat list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the threat list in GuardDuty to match the list of external IP ranges in the S3 bucket.
• C. Configure a trusted IP list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the trusted IP list in GuardDuty to match the list of external IP ranges in the S3 bucket.
• D. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the localIp filter attribute.

Correct answer: B

Explanation

The correct answer is B because it directly addresses the requirement to create a threat list in GuardDuty that will trigger findings based on the external IP ranges. Options A and D incorrectly suggest creating finding filters instead of a threat list, and option C is incorrect as it refers to a trusted IP list, which does not meet the needs specified in the question.