Each subnet has a route table, so modify the routing associated with DB instance subnets to prevent internet access.

To detect suspicious activity in an AWS account for VPC hosted resources, the security engineer needs to use a service that can monitor network traffic and API calls across all AWS Regions. Amazon GuardDuty is a threat detection service that can do this by analyzing VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. By activating GuardDuty across all AWS Regions, the security engineer can provide visibility for as many regions as possible. GuardDuty generates findings that contain details about the potential threats detected in the account. To respond to these findings, the security engineer needs to create a mechanism that can notify the relevant stakeholders or take remedial actions. One way to do this is to use Amazon EventBridge, which is a serverless event bus service that can connect AWS services and third-party applications. By creating an EventBridge rule that responds to GuardDuty findings and publishes them to an Amazon Simple Notification Service (Amazon SNS) topic, the security engineer can enable subscribers of the topic to receive notifications via email, SMS, or other methods. This is a cost-effective solution that does not require any additional infrastructure or code.

The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

The reason is that Security Hub does not automatically receive findings from GuardDuty unless the integration is activated in each AWS account.According to the AWS documentation1, “The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.” However, this integration is not enabled by default and requires manual activation in each AWS account.The documentation1also states that “You must activate the integration in each AWS account that you want to send findings from GuardDuty to Security Hub.”

Therefore, even though the company has configured the security tooling account as the delegated administrator for GuardDuty and Security Hub, and has enabled these services for existing and new AWS accounts, it still needs to activate the GuardDuty integration with Security Hub in each account. Otherwise, the findings from GuardDuty will not be sent to Security Hub and will not be visible in the delegated administrator account.

The other options are incorrect because:

A. VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC flow logs as one of the data sources for network connection findings, but not for DNS findings.According to the AWS documentation2, “GuardDuty uses VPC Flow Logs as a data source for network connection findings.”

B. The VPC DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses DNS logs as one of the data sources for DNS findings, regardless of the DNS resolver used by the VPC.According to the AWS documentation2, “GuardDuty uses DNS logs as a data source for DNS activity findings.”

D. Cross-Region aggregation in Security Hub is not relevant for this scenario, since the company operates out of a single AWS Region. Cross-Region aggregation in Security Hub allows you to aggregate security findings from multiple Regions into a single Region, where you can view and manage them. However, this feature is not needed if the company only uses one Region.According to the AWS documentation3, “Cross-Region aggregation enables you to aggregate security findings from multiple Regions into a single Region.”

Comprehensive Detailed Explanation with all AWS References

To provide a single management portal for access and integrate with an external IdP for SSO,AWS IAM Identity Center(formerly AWS Single Sign-On) is the best solution:

AWS IAM Identity Center:

IAM Identity Center enables centralized management of access to AWS accounts within an organization.

Supports external IdPs (e.g., Okta, Azure AD) using SAML 2.0 for workforce SSO.

Amazon Athena is a service that enables you to analyze data in Amazon S3 using standard SQL1. You can use Athena to query the CloudTrail logs that are stored in S3 and filter them by the exposed access key and the date range2. The other options are not effective ways to review the use of the exposed access key.

To ensure that Security Hub can evaluate their resources for CIS AWS Foundations compliance, the security engineer should do the following:

Ensure that AWS Config is enabled in the account. This is a service that enables continuous assessment and audit of your AWS resources for compliance.

Ensure that the required AWS Config rules have been created for the CIS compliance evaluation. These are rules that represent your desired configuration settings for specific AWS resources or for an entire AWS account.

The correct answer is B because it checks the configuration of the CloudWatch alarm that is supposed to monitor the CloudTrail log events. The analyst should verify that a metric filter was created to extract the relevant information from the log events, such as the event name, source, and user identity. The analyst should also verify that the metric filter wasmapped to an alarm that triggers when a certain threshold is reached, and that the alarm notification action is set up correctly to send alerts to the analyst1.

The other options are incorrect because they do not address the issue of the CloudWatch alarm not working as expected. Option A is incorrect because CloudTrail and S3 bucket access logging are not related to the monitoring of security group changes. CloudTrail logs the API calls made to AWS services, and S3 bucket access logging records the requestsmade to thebucket2. OptionC is incorrect because CloudWatch dashboards are used to display metrics and alarms in a graphical way, but they do not affect the functionality of the alarm3. Option D is incorrect because the IAM policy permissions for cloudwatch:GetMetricStatistics and cloudwatch:ListMetrics are not required to monitor the CloudTrail log events. These permissions are used to retrieve the statistics and list of metrics for a given namespace4.

To mitigate a credential stuffing attack against a web-based application behind an Application Load Balancer (ALB), creating an AWS WAF web ACL with a custom rule to block requests containing the known malicious user agent string is an effective solution. This approach allows for precise targeting of the attack vector (the user agent string of the device emulator) without impacting legitimate users. AWS WAF provides the capability to inspect HTTP(S) requests and block those that match defined criteria, such as specific strings in the user agent header, thereby preventing malicious requests from reaching the application.

You can use IAM CloudTrail to get a history of IAM API calls and related events for your account. This history includes calls made with the IAM Management Console, IAM Command Line Interface, IAM SDKs, and other IAM services.

Options A,B and D are invalid becau56se you need to ensure that you use the services of CloudTrail, IAM Config, IAM Credential Reports

For more information on Cloudtrail, please visit the below URL:

http://docs.IAM.amazon.com/IAMcloudtrail/latest/userguide/cloudtrail-user-guide.html

IAM Config is a service that enables you to assess, audit and evaluate the configurations of your IAM resources. Config continuously monitors and records your IAM resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between IAM resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, char management and operational troubleshooting.

For more information on the config service, please visit the below URL

https://IAM.amazon.com/config/

You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the IAM Management Console, the IAM SDKs and Command Line Tools, or the IAM API.

For more information on Credentials Report, please visit the below URL:

http://docs.IAM.amazon.com/IAM/latest/UserGuide/id credentials_getting-report.html

The correct answer is: CloudTrail, IAM Config, IAM Credential Reports Submit your Feedback/Queries to our Experts