How should the security engineer efficiently use the threat list across all company AWS accounts?
Ensure the S3 bucket policy allows all company AWS accounts access to the threat list. Use an AWS Lambda function to automatically add the threat list to all company AWS accounts.
Ensure GuardDuty is in master-member configuration. Add the threat list to the master account referencing the S3 object that contains the threat list.
Ensure all accounts are part of the same organization in AWS Organizations. Add the threat list to any company account within AWS Organizations.
Ensure the threat list in the S3 bucket is publicly accessible. Use an Amazon CloudWatch Events event on GuardDuty findings to match IPs against the threat list.
Explanations:
This option suggests using a Lambda function to automatically add the threat list to all AWS accounts, which introduces unnecessary complexity. AWS GuardDuty does not need to reference the threat list in each account separately; a more centralized approach is better.
This option is the correct approach. By ensuring GuardDuty is in master-member configuration, the threat list can be added in the master account, making it available across all member accounts. This is efficient and simplifies the management of GuardDuty settings.
While using AWS Organizations for centralized management is a good practice, simply adding the threat list to any account within the organization does not ensure proper integration with GuardDuty. The threat list needs to be centralized and referenced in a master account for it to propagate to all accounts.
Making the S3 bucket publicly accessible introduces unnecessary security risks. Additionally, using CloudWatch Events to match IPs against the threat list is not an efficient way to integrate threat intelligence into GuardDuty, which can handle threat list integration directly.