What should the security engineer do to resolve this issue?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company is using AWS Organizations to manage multiple AWS member accounts.All of these accounts have Amazon GuardDuty enabled in all Regions.The company’s AWS Security Operations Center has a centralized security account for logging and monitoring.One of the member accounts has received an excessively high bill.A security engineer discovers that a compromised Amazon EC2 instance is being used to mine cryptocurrency.The Security OperationsCenter did not receive a GuardDuty finding in the central security account, but there was a GuardDuty finding in the account containing the compromised EC2 instance.The security engineer needs to ensure all GuardDuty findings are available in the security account.

What should the security engineer do to resolve this issue?

Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings.

Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account. Use an AWS Lambda function as a target to raise findings in AWS Security Hub.

Check that GuardDuty in the security account is able to assume a role in the compromised account using the guardduty;listfindings permission. Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings.

Use the aws guardduty get-members AWS CLI command in the security account to see if the account is listed. Send an invitation from GuardDuty in the security account to GuardDuty in the compromised account. Accept the invitation to forward all future GuardDuty findings.

Explanations:

Setting up a CloudWatch Events rule to forward GuardDuty findings using a Lambda function to raise findings does not ensure that all findings are centralized in the security account. Instead, it merely creates additional findings based on existing ones without properly integrating GuardDuty findings from the member accounts into the centralized account.

Similar to option A, using a CloudWatch Events rule to forward GuardDuty findings to the security account and then raising them in AWS Security Hub does not provide a proper solution for centralizing findings. This option also fails to guarantee that all GuardDuty findings will be available in the security account, as it does not integrate GuardDuty findings directly.

Checking if the GuardDuty in the security account can assume a role in the compromised account is not necessary for forwarding findings. GuardDuty findings should be shared automatically across accounts in an AWS Organization. Scheduling a CloudWatch Events rule to periodically check for findings does not ensure real-time or complete visibility of findings from member accounts.

This option correctly identifies that using the AWS CLI to check if the security account is a member of the GuardDuty setup in the compromised account and then sending an invitation for membership allows the centralized account to receive all future GuardDuty findings from the member account. This is the proper way to ensure all findings are available in the centralized security account.

2025-10-03

1 Comment

  1. Roger
    Author

    From what I’ve heard, the answer is:
    Use the aws guardduty get-members AWS CLI command in the security account to see if the account is listed. Send an invitation from GuardDuty in the security account to GuardDuty in the compromised account. Accept the invitation to forward all future GuardDuty findings.

Leave a Reply

Your email address will not be published. Required fields are marked *

19 − twelve =