AWS Certified Security - Specialty
Get started today
Ultimate access to all questions.
In a company with hundreds of AWS accounts managed through AWS Organizations, a dedicated security tooling account serves as the delegated administrator for Amazon GuardDuty and AWS Security Hub. This setup is configured to automatically enable GuardDuty and Security Hub across all accounts, both existing and new. During a control test to ensure the security team's ability to detect and respond to security events, an Amazon EC2 instance was launched to generate a DNS finding by making DNS requests against a test domain. Despite these efforts, no GuardDuty finding was recorded in the Security Hub delegated administrator account. What might be the cause for the absence of this finding?
In a company with hundreds of AWS accounts managed through AWS Organizations, a dedicated security tooling account serves as the delegated administrator for Amazon GuardDuty and AWS Security Hub. This setup is configured to automatically enable GuardDuty and Security Hub across all accounts, both existing and new. During a control test to ensure the security team's ability to detect and respond to security events, an Amazon EC2 instance was launched to generate a DNS finding by making DNS requests against a test domain. Despite these efforts, no GuardDuty finding was recorded in the Security Hub delegated administrator account. What might be the cause for the absence of this finding?
Explanation:
The correct answer is B. Amazon GuardDuty only processes DNS logs if you use the default VPC DNS resolver. If a custom DNS resolver, such as OpenDNS, is configured in the DHCP options for the VPC where the EC2 instance was launched, GuardDuty will not generate DNS-based findings. This means that any DNS requests made in this environment will not be detected by GuardDuty, preventing any related findings from being reported to the Security Hub.