As an AWS System Administrator, you have enabled Amazon GuardDuty to identify and detect security issues in your AWS account continuously.
You also need to set up relevant preventive actions based on different types of security findings.
One preventive action is that when an EC2 instance is under brute force attacks, the SSH port would be closed in the security group automatically.
How would you configure various preventative actions in the most appropriate way?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Option A is incorrect because, in the Amazon GuardDuty console, you cannot add a Lambda function for the findings.
There is no such configuration.
Option B is CORRECT because CloudWatch events can get notified for all findings that GuardDuty generates.
Users can add the custom logic in the target Lambda function to take the required actions.
Option C is incorrect because the "source" and "detail-type" of the CloudWatch Event rule are incorrect.
The correct event pattern should be:
{
"source": [
"aws.guardduty"
],
"detail-type": [
"GuardDuty Finding"
]
}
Option D is incorrect because there is no such AWS managed rule in AWS Config that can get the GuardDuty findings.
In this scenario, the correct AWS service to be used should be AWS CloudWatch instead of AWS Config.
References:
https://aws.amazon.com/guardduty/faqs/ https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.htmlAs an AWS System Administrator, you have enabled Amazon GuardDuty, which continuously monitors your AWS account for security threats and vulnerabilities. When it detects an issue, it generates a finding, which is a detailed description of the potential threat or vulnerability. To take preventative actions based on different types of security findings, you need to configure automated responses.
There are several ways to configure preventative actions for GuardDuty findings, but the most appropriate way depends on your specific requirements. Here are the four options:
A. In the Amazon GuardDuty console, configure a Lambda function to take preventative actions for each type of finding.
This option involves using the GuardDuty console to create a custom Lambda function for each type of finding that you want to take preventive actions for. You can configure the function to perform any action that is supported by AWS APIs, such as updating security groups, disabling access keys, or terminating instances. This option provides the most granular control over the preventive actions, but it can be time-consuming to set up and maintain.
B. Create a CloudWatch Event rule for the "source" of "aws.guardduty" and "detail-type" of "GuardDuty Finding" with a Lambda function target to take preventative actions.
This option involves using CloudWatch Events to trigger a Lambda function whenever a GuardDuty finding is generated. You can filter the events based on the finding type, severity, or other attributes. The Lambda function can then take any action that is supported by AWS APIs. This option is more flexible than option A because you can use a single Lambda function to handle multiple types of findings. However, it still requires some configuration and maintenance.
C. Create a CloudWatch Event rule for the "source" of "AWS API Call via CloudTrail" and "detail-type" of "guardduty.amazonaws.com" with a Lambda function target to act upon the GuardDuty findings.
This option involves using CloudTrail to capture GuardDuty events and then using CloudWatch Events to trigger a Lambda function to take preventive actions. The benefit of this approach is that it allows you to centralize your security event logs in CloudTrail and use CloudWatch Events to trigger preventive actions based on those logs. However, it can be more complex to set up and maintain than the previous options.
D. In AWS Config, configure the GuardDuty rule managed by AWS. Add a remediation Lambda function to customize the preventative actions.
This option involves using AWS Config to manage GuardDuty findings and remediate them automatically. You can configure AWS Config to evaluate GuardDuty findings against specific rules and then take predefined remediation actions, such as closing ports, terminating instances, or disabling access keys. This option is more automated than the previous options but may require more advanced AWS knowledge to set up and maintain.
In summary, there are multiple ways to configure preventative actions based on GuardDuty findings in AWS. The most appropriate option depends on your specific requirements, such as the level of granularity, automation, and maintenance that you want to achieve.