| Question.61 A company has hundreds of AWS accounts in an organization in AWS Organizations. The company operates out of a single AWS Region. The company has a dedicated security tooling AWS account in the organization. The security tooling account is configured as the organization’s delegated administrator for Amazon GuardDuty and AWS Security Hub. The company has configured the environment to automatically enable GuardDuty and Security Hub for existing AWS accounts and new AWS accounts. The company is performing control tests on specific GuardDuty findings to make sure that the company’s security team can detect and respond to security events. The security team launched an Amazon EC2 instance and attempted to run DNS requests against a test domain, example.com, to generate a DNS finding. However, the GuardDuty finding was never created in the Security Hub delegated administrator account. Why was the finding was not created in the Security Hub delegated administrator account? (A) VPC flow logs were not turned on for the VPC where the EC2 instance was launched. (B) The VPC where the EC2 instance was launched had the DHCP option configured for a custom OpenDNS resolver. (C) The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated. (D) Cross-Region aggregation in Security Hub was not configured. |
61. Click here to View Answer
Correct Answer: C
The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.
The reason is that Security Hub does not automatically receive findings from GuardDuty unless the integration is activated in each AWS account. According to the AWS documentation1, “The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.” However, this integration is not enabled by default and requires manual activation in each AWS account. The documentation1 also states that “You must activate the integration in each AWS account that you want to send findings from GuardDuty to Security Hub.” Therefore, even though the company has configured the security tooling account as the delegated administrator for GuardDuty and Security Hub, and has enabled these services for existing and new AWS accounts, it still needs to activate the GuardDuty integration with Security Hub in each account. Otherwise, the findings from GuardDuty will not be sent to Security Hub and will not be visible in the delegated administrator account.
The other options are incorrect because:
A) VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC flow logs as one of the data sources for network connection findings, but not for DNS findings. According to the AWS documentation2, “GuardDuty uses VPC Flow Logs as a data source for network connection findings.” B) The VPC DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses DNS logs as one of the data sources for DNS findings, regardless of the DNS resolver used by the VPC. According to the AWS documentation2, “GuardDuty uses DNS logs as a data source for DNS activity findings.” D) Cross-Region aggregation in Security Hub is not relevant for this scenario, since the company operates out of a single AWS Region. Cross-Region aggregation in Security Hub allows you to aggregate security findings from multiple Regions into a single Region, where you can view and manage them. However, this feature is not needed if the company only uses one Region. According to the AWS documentation3, “Cross-Region aggregation enables you to aggregate security findings from multiple Regions into a single Region.”
| Question.62 A company’s Security Engineer is copying all application logs to centralized Amazon S3 buckets. Currently, each of the company’s applications is in its own IAM account, and logs are pushed into S3 buckets associated with each account. The Engineer will deploy an IAM Lambda function into each account that copies the relevant log files to the centralized S3 bucket. The Security Engineer is unable to access the log files in the centralized S3 bucket. The Engineer’s IAM user policy from the centralized account looks like this:  The centralized S3 bucket policy looks like this:  Why is the Security Engineer unable to access the log files? (A) The object ACLs are not being updated to allow the users within the centralized account to access the objects (B) The S3 bucket policy does not explicitly allow the Security Engineer access to the objects in the bucket. (C) The Security Engineers IAM policy does not grant permissions to read objects in the S3 bucket (D) The s3:PutObject and s3:PutObjectAcl permissions should be applied at the S3 bucket level |
62. Click here to View Answer
Correct Answer: C
| Question.63 A security engineer has created an Amazon GuardDuty detector in several AWS accounts. The accounts are in an organization in AWS Organizations. The security engineer needs centralized visibility of the security findings from the detectors. (A) Configure Amazon CloudWatch Logs Insights (B) Create an Amazon CloudWatch dashboard (C) Configure AWS Security Hub integrations (D) Query the findings by using Amazon Athena |
63. Click here to View Answer
Correct Answer: C
Comprehensive Detailed Explanation with all AWS Reference
To achieve centralized visibility of security findings from Amazon GuardDuty detectors in multiple AWS accounts under an AWS Organization, the best approach is to integrate GuardDuty with AWS Security Hub.
AWS Security Hub Overview:
Security Hub provides a unified view of security alerts and compliance checks across AWS accounts.
It supports integration with GuardDuty to automatically ingest and display findings in a centralized manner.
Reference:
Steps to Configure:
Enable AWS Security Hub in the management account.
Integrate GuardDuty with Security Hub by enabling the integration in each member account.
Security Hub will automatically aggregate and centralize findings from all accounts in the organization.
Why Not Other Options?
Option A (CloudWatch Logs Insights): While CloudWatch Logs Insights can analyze logs, it does not provide a centralized dashboard for GuardDuty findings across accounts.
Option B (CloudWatch Dashboard): Dashboards are primarily for metrics visualization, not GuardDuty findings.
Option D (Amazon Athena): Athena can query findings stored in Amazon S3, but it does not provide real-time centralized visibility or a security-specific interface like Security Hub.
| Question.64 A company hosts multiple externally facing applications, each isolated in its own IAM account The company’B Security team has enabled IAM WAF. IAM Config. and Amazon GuardDuty on all accounts. The company’s Operations team has also joined all of the accounts to IAM Organizations and established centralized logging for CloudTrail. IAM Config, and GuardDuty. The company wants the Security team to take a reactive remediation in one account, and automate implementing this remediation as proactive prevention in all the other accounts. How should the Security team accomplish this? (A) Use IAM Shield Advanced to identify threats in each individual account and then apply the account-based protections to all other accounts through Organizations. (B) Use GuardDuty alerts to write an IAM Lambda function that updates all accounts by adding additional NACLs on the Amazon EC2 instances to block known malicious IP addresses. (C) Update the IAM WAF rules in the affected account and use IAM Firewall Manager to push updated IAM WAF rules across all other accounts. (D) Use GuardDuty centralized logging and Amazon SNS to set up alerts to notify all application teams of security incidents. |
64. Click here to View Answer
Correct Answer: B
| Question.65 A company wants to migrate its static primary domain website to AWS. The company hosts the website and DNS servers internally. The company wants the website to enforce SSL/TLS encryption block IP addresses from outside the United States (US), and take advantage of managed services whenever possible. Which solution will meet these requirements? (A) Migrate the website to Amazon S3 Import a public SSL certificate to an Application Load. Balancer with rules to block traffic from outside the US Migrate DNS to Amazon Route 53. (B) Migrate the website to Amazon EC2 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to an Application Load Balancer with rules to block traffic from outside the US Update DNS accordingly. (C) Migrate the website to Amazon S3. Import a public SSL certificate to Amazon CloudFront Use AWS WAF rules to block traffic from outside the US Update DNS. accordingly (D) Migrate the website to Amazon S3 Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon. CloudFront Configure CloudFront to block traffic from outside the US. Migrate DNS to Amazon Route 53. |
65. Click here to View Answer
Correct Answer: D
To migrate the static website to AWS and meet the requirements, the following steps are required:
Migrate the website to Amazon S3, which is a highly scalable and durable object storage service that can host static websites. To do this, create an S3 bucket with the same name as the domain name of the website, enable static website hosting for the bucket, upload the website files to the bucket, and configure the bucket policy to allow public read access to the objects. For more information, see Hosting a static website on Amazon S3.
Import a public SSL certificate that is created by AWS Certificate Manager (ACM) to Amazon CloudFront, which is a global content delivery network (CDN) service that can improve the performance and security of web applications. To do this, request or import a public SSL certificate for the domain name of the website using ACM, create a CloudFront distribution with the S3 bucket as the origin, and associate the SSL certificate with the distribution. For more information, see Using alternate domain names and HTTPS.
Configure CloudFront to block traffic from outside the US, which is one of the requirements. To do this, create a CloudFront web ACL using AWS WAF, which is a web application firewall service that lets you control access to your web applications. In the web ACL, create a rule that uses a geo match condition to block requests that originate from countries other than the US. Associate the web ACL with the CloudFront distribution. For more information, see How AWS WAF works with Amazon CloudFront features.
Migrate DNS to Amazon Route 53, which is a highly available and scalable cloud DNS service that can route traffic to various AWS services. To do this, register or transfer your domain name to Route 53, create a hosted zone for your domain name, and create an alias record that points your domain name to your CloudFront distribution. For more information, see Routing traffic to an Amazon CloudFront web distribution by using your domain name.
The other options are incorrect because they either do not implement SSL/TLS encryption for the website (A), do not use managed services whenever possible (B), or do not block IP addresses from outside the US .
Verified Reference:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/HostingWebsiteOnS3Setup.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-alternate-domain-names.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-cloudfront.html
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-cloudfront-distribution.html