DOP-C02 · Question #484
DOP-C02 Question #484: Real Exam Question with Answer & Explanation
The correct answer is B: Enable Amazon GuardDuty. Enable Lambda Protection. Use EventBridge for event notifications.. Explanation Option B is correct because Amazon GuardDuty with Lambda Protection is specifically designed to detect runtime threats and malicious activity in deployed serverless applications - including unusual API calls, suspicious code execution patterns, and potential supply ch
Question
A company built its serverless infrastructure on AWS. The infrastructure consists of an Amazon API Gateway REST API, multiple AWS Lambda functions, and Amazon EventBridge. The company wants to be aware of any new supply chain attacks that the company's CI/CD pipelines do not catch. The company needs a solution to detect malicious activity in the deployed application. Which solution meets these requirements?
Options
- AEnable AWS WAF for the API Gateway REST API. Configure an AWS WAF ACL. Add the known
- BEnable Amazon GuardDuty. Enable Lambda Protection. Use EventBridge for event notifications.
- CDeploy AWS CloudFormation Guard in the CI/CD pipelines. Write rules to catch the supply chain
- DCreate a firewall in AWS Network Firewall. Configure a policy. Add the managed rule for the
Explanation
Explanation
Option B is correct because Amazon GuardDuty with Lambda Protection is specifically designed to detect runtime threats and malicious activity in deployed serverless applications - including unusual API calls, suspicious code execution patterns, and potential supply chain compromises that slip past CI/CD pipelines. EventBridge integrates natively with GuardDuty to deliver real-time threat notifications, making this a complete detection solution for post-deployment threats.
Option A is wrong because AWS WAF protects against known web exploits (SQL injection, XSS, etc.) at the API layer, but it cannot detect malicious behavior within Lambda functions or internal supply chain threats in deployed code.
Option C is wrong because CloudFormation Guard is a pre-deployment policy-as-code tool used in CI/CD pipelines - the question explicitly asks for a solution that catches attacks the CI/CD pipelines miss, so this doesn't address the runtime detection requirement.
Option D is wrong because AWS Network Firewall operates at the network layer for VPC traffic, but serverless architectures (API Gateway + Lambda) don't route traffic through a VPC by default, making this solution largely ineffective here.
🧠 Memory Tip: Think "GuardDuty = Runtime Guardian." Whenever a question asks about detecting threats in deployed/running AWS resources (especially Lambda), GuardDuty with the appropriate protection plan (Lambda, S3, EKS, etc.) is almost always the answer.
Topics
Community Discussion
No community discussion yet for this question.