Question 6

Domain 1: Threat Detection and Incident Response

A global company that deals with International finance is investing heavily in cryptocurrencies and wants to experiment with mining technologies using AWS. The company's security team has enabled Amazon GuardDuty and is concerned by the number of findings being generated by the accounts. The security team wants to minimize the possibility of GuardDuty finding false negatives for compromised instances that are performing mining How can the security team continue using GuardDuty while meeting these requirements?

A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option. B. Create a custom AWS Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out the high-severity finding types only. C. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom AWS Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag. D. When GuardDuty produces a cryptocurrency finding, process the finding with a custom AWS Lambda function to extract the instance ID from the finding Then use the AWS Systems Manager Run Command to check for a running process performing mining operations.

Correct answer: D

Explanation

GuardDuty is a threat-detection service, and the exam guide says to use “AWS Security Finding Format (ASFF)” and “automating remediation by using AWS services (for example, AWS Lambda… AWS Systems Manager runbooks).” A Lambda function can parse the GuardDuty cryptocurrency finding, extract the instance ID, and Systems Manager Run Command can validate whether a mining process is running, reducing false negatives.

Why each option is right or wrong

A. In the GuardDuty console, select the CryptoCurrency:EC2/BitcoinTool B'DNS finding and use the suppress findings option.

Suppressing findings hides alerts instead of validating whether mining is truly occurring.

B. Create a custom AWS Lambda function to process newly detected GuardDuty alerts Process the CryptoCurrency EC2/BitcoinTool BIDNS alert and filter out the high-severity finding types only.

Filtering only high-severity alerts misses lower-severity compromise signals and does not validate mining activity.

C. When creating a new Amazon EC2 Instance, provide the instance with a specific tag that indicates it is performing mining operations Create a custom AWS Lambda function to process newly detected GuardDuty alerts and filter for the presence of this tag.

Instance tags do not prove a mining process is running on the EC2 host.

D. When GuardDuty produces a cryptocurrency finding, process the finding with a custom AWS Lambda function to extract the instance ID from the finding Then use the AWS Systems Manager Run Command to check for a running process performing mining operations.

AWS GuardDuty generates findings in AWS Security Finding Format (ASFF), which includes the affected resource details needed to identify the compromised EC2 instance; using AWS Lambda to parse the finding and extract the instance ID is a standard incident-response automation pattern called out in the exam guide. AWS Systems Manager Run Command can then execute a command on that instance without SSH, letting the team validate whether a mining process is actually running and reduce false negatives by confirming the alert against live host state.

Previous Next