Question 2

Domain 1: Threat Detection and Incident Response

A company is using AWS Organizations to manage multiple AWS member accounts. All of these accounts have Amazon GuardDuty enabled in all Regions. The company's AW5 Security Operations Center has a centralized security account for logging and monitoring. One of the member accounts has received an excessively high bill A security engineer discovers that a compromised Amazon EC2 instance is being used to mine crypto currency. The Security Operations Center did not receive a GuardDuty finding in the central security account. but there was a GuardDuty finding in the account containing the compromised EC2 instance. The security engineer needs to ensure an GuardDuty finding are available in the security account. What should the security engineer do to resolve this issue?

A. Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings. B. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub. C. Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings. D. Use the aws GuardDuty `get-members` AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings.

Correct answer: D

Explanation

AWS Organizations does not automatically centralize GuardDuty findings; a delegated security account must invite member accounts and those accounts must accept. The answer follows the GuardDuty member workflow: use `get-members` to verify membership, then “Send an invitation” and “Accept the invitation” so findings are forwarded to the security account.

Why each option is right or wrong

A. Set up an Amazon CloudWatch Event rule to forward ail GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings.

CloudWatch Events forwarding is a custom workaround, not the native GuardDuty multi-account aggregation model.

B. Set up an Amazon CloudWatch Events rule to forward all GuardDuty findings to the security account Use an AWS Lambda function as a target to raise findings in AWS Security Hub.

Security Hub can aggregate security findings, but the issue is missing GuardDuty account membership.

C. Check that GuardDuty in the security account is able to assume a role in the compromised account using the GuardDuty fast findings permission Schedule an Amazon CloudWatch Events rule and an AWS Lambda function to periodically check for GuardDuty findings.

GuardDuty does not require periodic polling Lambda checks when proper administrator-member configuration exists.

D. Use the aws GuardDuty `get-members` AWS CLI command m the security account to see if the account is listed Send an invitation from GuardDuty m the security account to GuardDuty in the compromised account Accept the invitation to forward all future GuardDuty findings.

Amazon GuardDuty findings are only centralized to a delegated administrator when the member account is explicitly associated as a GuardDuty member; AWS Organizations alone does not forward findings across accounts. Under the GuardDuty member workflow, the security account should first verify membership with `GetMembers`, then send a GuardDuty invitation from the security account and have the compromised account accept it so future findings are published to the central detector. Without that acceptance, the finding remains only in the member account, which is why the SOC did not receive it.

Previous Next