Which solution will meet these requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A company has a VPC that consists of a public subnet and a private subnet.The company has an application that runs on Amazon EC2 instances that are in the private subnet.An Application Load Balancer is in the public subnet and distributes traffic to the EC2 instances.The company has enabled Amazon GuardDuty for the account.The company’s DevOps team has a list of external IP ranges that is updated each day.The list is stored in an Amazon S3 bucket in the account.A DevOps engineer needs to configure GuardDuty to create a GuardDuty finding when traffic to the application originates from an IP range in the external IP range list.

Which solution will meet these requirements?

Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the publicIp filter attribute.

Configure a threat list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the threat list in GuardDuty to match the list of external IP ranges in the S3 bucket.

Configure a trusted IP list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the trusted IP list in GuardDuty to match the list of external IP ranges in the S3 bucket.

Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to retrieve the most recent list of external IP ranges from the S3 bucket. For each IP range in the list, configure the Lambda function to create a GuardDuty finding filter on the localIp filter attribute.

Explanations:

GuardDuty does not support creating a finding filter directly through Lambda functions. Instead, it allows using a threat list, which can trigger findings when there is traffic from an external IP.

GuardDuty allows for the use of a threat list, which can be populated with IP ranges from an S3 bucket. The Lambda function can refresh this list daily, ensuring it reflects the updated external IP ranges.

GuardDuty’s trusted IP list is used to whitelist IPs, not for identifying malicious or unwanted traffic. The correct use case is the threat list, not the trusted IP list.

GuardDuty finding filters are based on external IPs (public IPs), not local IPs. The publicIp filter is appropriate for identifying external threats, not the localIp filter.

2025-10-02

1 Comment

  1. Shirley
    Author

    From what I’ve seen, the answer is:
    Configure a threat list in GuardDuty. Set the source as the list of external IP ranges in the S3 bucket. Create an Amazon EventBridge rule that runs daily and invokes an AWS Lambda function. Configure the Lambda function to refresh the threat list in GuardDuty to match the list of external IP ranges in the S3 bucket.

Leave a Reply to Shirley Cancel reply

Your email address will not be published. Required fields are marked *

18 + eleven =