Which combination of steps should the security engineer take to meet these requirements?
(Choose two.)
Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCs. Specify for the flow logs to capture all traffic.
Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCS. Specify for the flow logs to capture accepted traffic.
Configure Amazon GuardDuty. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic
Configure AWS Security Hub. Create an Amazon EventBridge (Amazon CloudWatch Events) rue to forward finding events to an Amazon Simple Notification Service (Amazon SNS) topic.
Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Configure an AWS Lambda function to analyze VPC flow logs and to inspect all flow log traffic that matches the ACCEPT filter type.
Explanations:
AWS CloudTrail can capture management and S3 data events, providing visibility into API calls and S3 actions. VPC flow logs can capture network traffic across all VPCs, giving comprehensive network visibility. Capturing all traffic (not just accepted) maximizes coverage, as it includes both allowed and denied traffic, which is critical for an IDS.
While CloudTrail and VPC flow logs are useful, capturing only accepted traffic does not maximize coverage. For IDS, monitoring both allowed and denied traffic is important to identify suspicious or unauthorized activities that may not be accepted by default network policies.
Amazon GuardDuty provides threat detection, which can identify malicious activity and generate findings. By forwarding GuardDuty findings to an SNS topic through EventBridge, alerts can be automatically sent to the operations team’s email distribution group. This maximizes coverage by detecting and responding to threats.
AWS Security Hub aggregates security findings from multiple services but does not provide IDS-like functionality by itself. While it integrates with EventBridge and SNS, it does not offer the same detailed traffic monitoring and threat detection as GuardDuty. Thus, it is not the best solution for maximizing IDS coverage.
While CloudTrail and VPC flow logs are useful, configuring an AWS Lambda function to analyze traffic may require custom coding and isn’t the most efficient or scalable approach for maximizing IDS coverage. Additionally, it doesn’t offer built-in threat detection capabilities like GuardDuty.
I draft that the answer is:
Create an AWS CloudTrail trail to capture management events and Amazon S3 data events. Create VPC flow logs for all VPCs. Specify for the flow logs to capture all traffic.