Question 22
Domain 2: Security and ComplianceA company recently enabled AWS CloudTrail and VPC Flow Logs in a new AWS account. The security team wants to automatically analyze this telemetry to detect suspicious activity with minimal setup and without building custom analytics tools. Which action best meets these requirements?
Correct answer: A
Explanation
Amazon GuardDuty is a managed threat detection service that automatically analyzes telemetry, including “AWS CloudTrail, VPC Flow Logs, and DNS logs,” to identify suspicious activity. It meets the need for “minimal setup” because it is fully managed and avoids building custom analytics tools.
Why each option is right or wrong
A. Enable Amazon GuardDuty for the account to continuously analyze AWS CloudTrail, VPC Flow Logs, and DNS logs for threats.
Amazon GuardDuty is the AWS-managed threat detection service that natively ingests and analyzes CloudTrail management events, VPC Flow Logs, and DNS query logs without requiring you to build parsers, rules, or a SIEM pipeline. It is enabled per account/Region and begins continuous monitoring immediately, so it satisfies the “minimal setup” requirement while providing automated detection of suspicious activity such as reconnaissance, credential misuse, and anomalous network behavior.
B. Create an Amazon Athena table over the CloudTrail logs and have analysts run ad hoc SQL queries for unusual events.
C. Use AWS Config rules to track configuration changes and send an email whenever a rule becomes noncompliant.
D. Deploy an intrusion detection system (IDS) on Amazon EC2 instances and manually configure it to ingest all log files.