Question 37

Domain 6: Security and Compliance

A company's video streaming platform usage has increased from 10,000 users each day to 50,000 users each day in multiple countries. The company deploys the streaming platform on Amazon Elastic Kubernetes Service (Amazon EKS). The EKS workload scales up to thousands of nodes during peak viewing time. The company's users report occurrences of unauthorized logins. Users also report sudden interruptions and logouts from the platform. The company wants additional security measures for the entire platform. The company also needs a summarized view of the resource behaviors and interactions across the company's entire AWS environment. The summarized view must show login attempts, API calls, and network traffic. The solution must permit network traffic analysis while minimizing the overhead of managing logs. The solution must also quickly investigate any potential malicious behavior that is associated with the EKS workload. Which solution will meet these requirements?

A. Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable AWS CloudTrail logs. Store the EKS audit logs and CloudTrail log files in an Amazon S3 bucket. Use Amazon Athena to create an external table. Use Amazon QuickSight to create a dashboard. B. Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable Amazon Detective in the company's AWS account. Enable EKS audit logs from optional source packages in Detective. C. Enable Amazon CloudWatch Container Insights. Enable AWS CloudTrail logs. Store the EKS audit logs and CloudTrail log files in an Amazon S3 bucket. Use Amazon Athena to create an external table. Use Amazon QuickSight to create a dashboard. D. Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable Amazon CloudWatch Container Insights and VPC Flow Logs. Enable AWS CloudTrail logs.

Correct answer: B

Explanation

Amazon GuardDuty for EKS Audit Log Monitoring helps detect unauthorized logins and suspicious Kubernetes activity, while Amazon Detective provides a "summarized view of the resource behaviors and interactions" across AWS, including "login attempts, API calls, and network traffic." Enabling EKS audit logs in Detective supports investigation of malicious behavior with minimal log-management overhead because Detective can analyze those logs without requiring separate manual correlation.

Why each option is right or wrong

Athena and QuickSight require building and maintaining custom log analysis instead of managed investigation workflows.

B. Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable Amazon Detective in the company's AWS account. Enable EKS audit logs from optional source packages in Detective.

GuardDuty’s EKS Audit Log Monitoring is the AWS-managed control that inspects Kubernetes audit events for suspicious authentication and API activity, which fits the reported unauthorized logins and abrupt session disruptions in the EKS workload. Detective is the service that provides the cross-account, cross-service behavior graph and can ingest and analyze login attempts, API calls, and VPC flow/network data; enabling EKS audit logs as an optional source package lets Detective investigate Kubernetes activity without the customer having to build and maintain separate log correlation pipelines.

C. Enable Amazon CloudWatch Container Insights. Enable AWS CloudTrail logs. Store the EKS audit logs and CloudTrail log files in an Amazon S3 bucket. Use Amazon Athena to create an external table. Use Amazon QuickSight to create a dashboard.

Container Insights focuses on observability and performance metrics, not security investigation across identities, APIs, and traffic.

D. Enable Amazon GuardDuty for EKS Audit Log Monitoring. Enable Amazon CloudWatch Container Insights and VPC Flow Logs. Enable AWS CloudTrail logs.

CloudWatch and VPC Flow Logs collect telemetry, but they do not provide the same summarized investigative graph view.

Previous Next