Which solution will meet these requirements in the MOST operationally efficient way?
Attach service control policies (SCPs) to the root of the organization to identity the failed login attempts.
Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the organization.
Publish the Aurora general logs to a log group in Amazon CloudWatch Logs. Export the log data to a central Amazon S3 bucket.
Publish all the Aurora PostgreSQL database events in AWS CloudTrail to a central Amazon S3 bucket.
Explanations:
Service Control Policies (SCPs) are used to manage permissions across AWS accounts within an organization, but they do not specifically detect or prevent abnormal failed or incomplete login attempts to Amazon Aurora PostgreSQL databases. SCPs control access to AWS services, not database-level activity monitoring.
Enabling the Amazon RDS Protection feature in GuardDuty for member accounts helps to detect suspicious activity, including abnormal failed login attempts to Amazon Aurora PostgreSQL databases. GuardDuty provides continuous threat detection and can identify anomalous behavior related to database login attempts, meeting the requirement for identifying malicious activity.
Publishing Aurora general logs to CloudWatch Logs and exporting them to an S3 bucket is a valid logging solution but requires additional manual analysis or automation for detecting failed login attempts. This approach does not provide automated detection of abnormal behavior as efficiently as GuardDuty.
CloudTrail logs can capture database events, but they do not focus on specific login activity or anomalies. Exporting CloudTrail logs to an S3 bucket requires manual or additional automation for detecting abnormal login attempts. GuardDuty offers a more efficient solution for identifying suspicious activity.