What should a security engineer do to ensure that the EC2 instances are logged?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company deployed Amazon GuardDuty in the us-east-1 Region.The company wants all DNS logs that relate to the company’s Amazon EC2 instances to be inspected.

What should a security engineer do to ensure that the EC2 instances are logged?

Use IPv6 addresses that are configured for hostnames.

Configure external DNS resolvers as internal resolvers that are visible only to AWS.

Use AWS DNS resolvers for all EC2 instances.

Configure a third-party DNS resolver with logging for all EC2 instances.

Explanations:

Using IPv6 addresses for hostnames does not ensure that DNS logs are collected. The DNS resolution must be handled through an AWS-managed DNS service to enable GuardDuty to inspect logs.

Configuring external DNS resolvers as internal resolvers visible only to AWS does not facilitate logging in GuardDuty. GuardDuty relies on AWS-native services for DNS logging and inspection.

Using AWS DNS resolvers (such as Amazon Route 53 or the default VPC DNS) ensures that all DNS queries made by the EC2 instances are logged and can be inspected by Amazon GuardDuty, thus fulfilling the requirement.

Configuring a third-party DNS resolver with logging does not integrate with Amazon GuardDuty. GuardDuty is designed to work with AWS-native services, and logs from third-party services will not be inspected by GuardDuty.

2025-10-04

1 Comment

  1. Harold
    Author

    I weigh that the answer is:
    Use AWS DNS resolvers for all EC2 instances.

Leave a Reply to Harold Cancel reply

Your email address will not be published. Required fields are marked *

two × two =