SCS-C03 Question #136: Real Exam Question with Answer & Explanation

Question

A company runs its microservices architecture in Kubernetes containers on AWS by using Amazon Elastic Kubernetes Service (Amazon EKS) and Amazon Aurora. The company has an organization in AWS Organizations to manage hundreds of AWS accounts that host different microservices. The company needs to implement a monitoring solution for logs from all AWS resources across all accounts. The solution must include automatic detection of security-related issues. Which solution will meet these requirements with the LEAST operational effort?

Options

• ADesignate an Amazon GuardDuty administrator account in the organization's management
• BDesignate a monitoring account. Share Amazon CloudWatch Logs from all accounts. Use
• CCentralize CloudTrail logs in Amazon S3 and analyze them with Amazon Athena.
• DStream CloudWatch Logs to Amazon Kinesis and analyze them with custom AWS Lambda

Explanation

Amazon GuardDuty is a fully managed, organization-aware threat detection service that continuously analyzes AWS logs such as CloudTrail events, VPC Flow Logs, DNS logs, EKS audit logs, and RDS activity. According to the AWS Certified Security - Specialty Official Study Guide, GuardDuty is designed to operate at scale across AWS Organizations with minimal operational overhead. By designating a GuardDuty administrator account in the organization's management account and enabling GuardDuty organization-wide, the company can automatically enable threat detection across hundreds of AWS accounts. Enabling EKS Protection allows GuardDuty to analyze Kubernetes audit logs for suspicious activity, while RDS Protection provides anomaly detection for Amazon Aurora databases.

No community discussion yet for this question.