GuardDuty uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.
GuardDuty is a Regional service and is recommended to be enabled in all supported AWS Regions. This enables GuardDuty to generate findings of unauthorized or unusual activity even in Regions not actively used.
Suppression rules allow the creation of very specific combinations of attributes to suppress findings.
Trusted IP List for highly secure communication with the AWS environment. Findings are not generated based on trusted IP lists.
Threat List for known malicious IP addresses. Findings are generated based on threat lists.
Security findings are retained and made available through the GuardDuty console and APIs for 90 days, after which they are discarded.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service makes it easy to detect and report unexpected and potentially malicious activity in your AWS environment?
is a web application firewall that helps monitor the HTTP/HTTPS traffic and allows controlling access to the content.
helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
helps define Web ACLs, which is a combination of Rules that is a combinations of Conditions and Action to block or allow
integrated with CloudFront, Application Load Balancer (ALB), API Gateway services commonly used to deliver content and applications
supports custom origins outside of AWS, when integrated with CloudFront
Third Party WAF
act as filters that apply a set of rules to web traffic to cover exploits like XSS and SQL injection and also help build resiliency against DDoS by mitigating HTTP GET or POST floods
WAF provides a lot of features like OWASP Top 10, HTTP rate limiting, Whitelist or blacklist, inspect and identify requests with abnormal patterns, CAPTCHA etc
a WAF sandwich pattern can be implemented where an autoscaled WAF sits between the Internet and Internal Load Balancer
is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS
provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of applications on AWS.
is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities
automatically discovers and scans EC2 instances and container images residing in Elastic Container Registry (ECR) for software vulnerabilities and unintended network exposure.
creates a finding, when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource, and provides remediation guidance.
is a Regional service.
requires Systems Manager (SSM) agent to be installed and enabled.
is a self-service audit artifact retrieval portal that provides customers with on-demand access to AWS’ compliance documentation and agreements
can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.