Ignore Pre-Authorized Network Scanner IP
Question
You use a pre-authorized network scanner from the AWS marketplace in your AWS environment.
Amazon GuardDuty is also enabled which detects a threat to protect your AWS account and workload. However, GuardDuty keeps generating findings for the scanner IP.
You want GuardDuty to ignore this particular IP as you are sure the scanner is working as expected. Which action would you take to meet this requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Option A is incorrect because the threat list consists of known malicious IP addresses, and GuardDuty will generate findings based on the threat list.
Option B is incorrect because you cannot suppress an IP from VPC flow logs or CloudTrail events.
Instead, you can create a whitelist in GuardDuty.
Option C is incorrect because you do not need to suspend GuardDuty as you can trust the IP address while GuardDuty is running.
Option D is CORRECT because you can configure GuardDuty to use your own custom trusted IP list containing your allowed IP addresses for secure communication with your AWS infrastructure and applications.
By doing so, GuardDuty would ignore the Scanner IP warnings and alerts.
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-trusted-ip-list/
The correct answer to this question is D: "Upload a trusted IP list in GuardDuty that contains the whitelisted IP address so that GuardDuty does not generate findings based on activity that involves the IP address."
Explanation: Amazon GuardDuty is a threat detection service that continuously monitors and analyzes events and logs from various AWS services to identify potentially malicious activity within your AWS environment. It generates findings for each detected threat, which includes details about the threat, its severity level, and recommended remediation steps.
In this scenario, the pre-authorized network scanner from the AWS Marketplace is being used to scan the AWS environment. As a result, GuardDuty keeps generating findings for the scanner IP, even though the scanner is working as expected. To address this issue, the user needs to whitelist the scanner IP address so that GuardDuty does not generate findings based on activity that involves the IP address.
One way to do this is to upload a trusted IP list in GuardDuty. A trusted IP list is a list of IP addresses that are considered safe and trusted and should not be flagged as potential threats. By uploading the scanner IP address to the trusted IP list, GuardDuty will not generate findings based on activity that involves the IP address.
Option A is incorrect because uploading a file with trusted IPs is only part of the process, and the user needs to activate the threat list in GuardDuty to ignore findings related to the uploaded IPs.
Option B is incorrect because suppressing the IP in VPC flow logs and CloudTrail events is not the best way to address the issue. It may lead to missing legitimate findings related to the scanner IP address.
Option C is incorrect because suspending GuardDuty is not an effective way to address the issue. GuardDuty should continuously monitor and analyze events and logs from various AWS services to detect potential threats within the AWS environment.