Which solution will meet these requirements in accordance with AWS best practices?

By:
On:
In: DOP-C02
Tagged:
With: 0 Comments
A company runs applications in AWS accounts that are in an organization in AWS Organizations.The applications use Amazon EC2 instances and Amazon S3.The company wants to detect potentially compromised EC2 instances, suspicious network activity, and unusual API activity in its existing AWS accounts and in any AWS accounts that the company creates in the future.When the company detects one of these events, the company wants to use an existing Amazon Simple Notification Service (Amazon SNS) topic to send a notification to its operational support team for investigation and remediation.

Which solution will meet these requirements in accordance with AWS best practices?

In the organization’s management account, configure an AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.

In the organization’s management account, configure Amazon GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts. Create an AWS CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all AWS accounts in the organization.

In the organization’s management account, create an AWS CloudTrail organization trail. Activate the organization trail in all AWS accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

In the organization’s management account, configure an AWS account as the AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing AWS accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.

Explanations:

This option sets up Amazon GuardDuty in the organization’s management account as an administrator, with existing AWS accounts added as members. An EventBridge rule forwards GuardDuty findings to the SNS topic, meeting the requirement to detect compromised EC2 instances, suspicious activity, and to send notifications.

While this option uses GuardDuty and EventBridge, it unnecessarily introduces CloudFormation stack sets to deploy the rule across accounts. This solution is more complex than needed for the requirement and is not AWS best practice, as it complicates the process of integrating GuardDuty and EventBridge.

This solution involves CloudTrail, VPC Flow Logs, and Security Hub, but it lacks direct integration with GuardDuty, which is specifically mentioned in the requirement for detecting suspicious activity. GuardDuty provides more specific and actionable findings for the use case.

This option involves CloudTrail, Security Hub, and VPC Flow Logs but lacks direct integration with GuardDuty for detecting compromised EC2 instances and suspicious activities, which is a key part of the solution. It adds unnecessary complexity with CloudTrail management and Security Hub, which are not as efficient for this use case.

Leave a Reply

Your email address will not be published. Required fields are marked *

five × four =