Your company needs to place automated security policy enforcement in the AWS environment.
One requirement is that a system can detect the undesired activities from VPC Flow Logs, AWS CloudTrail logs, and DNS logs.
For example, when a compromised EC2 instance is probing a port on a large number of public IP addresses and trying to find vulnerable hosts to exploit, the system can detect this activity from the VPC Flow logs and generate the security findings.
How would you set up this system in an easy way?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer : D.
Option A is incorrect because Amazon Macie is a tool to evaluate the Amazon S3 environment.
It cannot detect security issues from VPC Flow Logs, AWS CloudTrail logs, and DNS logs.
Option B is incorrect because you need to maintain CloudWatch Event rules and Lambda functions.
It is not an easy solution as you need to work out how to detect the unusual activities that you want.
Option C is incorrect because AWS Config itself is not enough to detect security issues.
It is an incomplete solution.
Option D is CORRECT because Amazon GuardDuty can analyze the logs, continuously monitor the AWS services and generate security findings.
Reference:
https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan, https://aws.amazon.com/blogs/security/how-get-started-security-response-automation-aws/The best option to set up an automated security policy enforcement system in the AWS environment to detect undesired activities from VPC Flow Logs, AWS CloudTrail logs, and DNS logs is D: Enable Amazon GuardDuty to pull and analyze independent streams of data from AWS CloudTrail management and Amazon S3 data events, VPC flow logs, and DNS logs to generate security findings.
Here's why:
A. Enable all features in Amazon Macie to automatically discover security issues and protect the AWS environment using machine learning and pattern matching: Amazon Macie is a fully-managed data security and privacy service that uses machine learning and pattern matching to automatically discover, classify, and protect sensitive data in AWS. While Amazon Macie can help identify sensitive data in your environment, it is not specifically designed to detect undesired activities from VPC Flow Logs, AWS CloudTrail logs, and DNS logs.
B. Create multiple CloudWatch Event rules and Lambda functions to generate security findings based on the abnormal activities in CloudTrail logs, VPC flow logs, and DNS logs: This option involves creating custom CloudWatch Event rules and Lambda functions to generate security findings based on abnormal activities in the logs. While this option provides granular control over what events trigger security findings, it requires significant manual effort to set up and maintain.
C. Enable AWS Config through AWS Security Hub to detect security issues and continuously aggregate and prioritize the findings: AWS Config is a fully-managed service that provides a detailed inventory of your AWS resources and their configurations. While AWS Config can help detect security issues, it does not specifically analyze VPC Flow Logs, AWS CloudTrail logs, and DNS logs.
D. Enable Amazon GuardDuty to pull and analyze independent streams of data from AWS CloudTrail management and Amazon S3 data events, VPC flow logs, and DNS logs to generate security findings: Amazon GuardDuty is a fully-managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment. It uses machine learning, anomaly detection, and integrated threat intelligence to analyze VPC Flow Logs, AWS CloudTrail logs, and DNS logs to generate security findings. GuardDuty also provides detailed, actionable alerts that enable you to quickly respond to potential threats.
In summary, D is the best option because it is specifically designed to detect undesired activities from VPC Flow Logs, AWS CloudTrail logs, and DNS logs, and provides detailed, actionable alerts that enable you to quickly respond to potential threats.