Which solution will meet these requirements in accordance with AWS best practices?
In the organization’s management account, configure an AWS account as the Amazon GuardDuty administrator account. In the GuardDuty administrator account, add the company’s existing AWS accounts to GuardDuty as members. In the GuardDuty administrator account, create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic.
In the organization’s management account, configure Amazon GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts. Create an AWS CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all AWS accounts in the organization.
In the organization’s management account, create an AWS CloudTrail organization trail. Activate the organization trail in all AWS accounts in the organization. Create an SCP that enables VPC Flow Logs in each account in the organization Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.
In the organization’s management account, configure an AWS account as the AWS CloudTrail administrator account. In the CloudTrail administrator account, create a CloudTrail organization trail. Add the company’s existing AWS accounts to the organization trail. Create an SCP that enables VPC Flow Logs in each account in the organization. Configure AWS Security Hub for the organization. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with an event pattern to match Security Hub events and to forward matching events to the SNS topic.
Explanations:
While setting up Amazon GuardDuty in the management account and forwarding events to SNS via EventBridge is a valid approach, it doesn’t fully address the creation of an automatic process for handling new accounts in the future. GuardDuty in the admin account needs to be manually configured for new accounts rather than relying on a CloudFormation stack set or automated process.
This option correctly addresses both existing and future accounts. By using GuardDuty with AWS Organizations and creating an automatic invitation process for new accounts, plus using CloudFormation StackSets to deploy EventBridge rules, the solution ensures consistency across accounts for detecting and notifying suspicious activity.
This option relies on CloudTrail and Security Hub, but the requirement is specifically to detect compromised EC2 instances, suspicious network activity, and unusual API activity, which GuardDuty is better suited to handle. CloudTrail and Security Hub are more for auditing and compliance, not for detecting real-time threats like GuardDuty.
Similar to option C, this option uses CloudTrail and Security Hub, which are less appropriate for real-time detection of compromised instances or suspicious activity. GuardDuty is a more specialized service for threat detection and should be the primary service for this use case. Additionally, SCPs are unnecessary for enabling VPC Flow Logs in this scenario.
I design that the answer is:
In the organization’s management account, configure Amazon GuardDuty to add newly created AWS accounts by invitation and to send invitations to the existing AWS accounts. Create an AWS CloudFormation stack set that accepts the GuardDuty invitation and creates an Amazon EventBridge (Amazon CloudWatch Events) rule. Configure the rule with an event pattern to match GuardDuty events and to forward matching events to the SNS topic. Configure the CloudFormation stack set to deploy into all AWS accounts in the organization.