Which combination of steps should a DevOps engineer take to prevent future violations?
(Choose two.)
Delegate AWS Firewall Manager to a security account.
Delegate Amazon GuardDuty to a security account.
Create an AWS Firewall Manager policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Create an Amazon GuardDuty policy to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Configure an AWS Config managed rule to attach AWS WAF web ACLs to any newly created ALBs and API Gateway APIs.
Explanations:
Delegating AWS Firewall Manager to a security account allows for centralized management of security policies across the organization, ensuring that all externally facing ALBs and API Gateway APIs are consistently associated with AWS WAF web ACLs.
Amazon GuardDuty is a threat detection service that monitors AWS accounts and workloads for malicious activity and unauthorized behavior. It does not have capabilities to enforce compliance regarding AWS WAF web ACLs on ALBs or API Gateway APIs.
Creating an AWS Firewall Manager policy to attach AWS WAF web ACLs to newly created ALBs and API Gateway APIs automates compliance and ensures that any new resources are protected as per the company’s security requirements.
Amazon GuardDuty does not have the capability to enforce policies like attaching AWS WAF web ACLs to ALBs or API Gateway APIs. It primarily provides insights and alerts regarding security threats.
While AWS Config can monitor compliance, it does not automatically attach AWS WAF web ACLs to newly created ALBs and API Gateway APIs. AWS Config managed rules can identify non-compliance but do not provide a means to enforce automatic remediations like attachment of WAF ACLs.