-
Incorrect Question in Review Mode Set 4
updated 4 weeks ago
2 Members
·
4
Posts
-
The question reads:
An enterprise with a multi-account AWS Organizations setup generates Amazon GuardDuty findings in each workload account from Amazon VPC traffic monitoring, DNS activity, and Amazon EKS clusters. The security team wants all findings to flow into a centralized AWS Security Hub dashboard. A newly created security account will serve as the aggregation hub.
The company must configure the environment so the security account automatically receives GuardDuty findings from all workload accounts through Security Hub.
Choose and arrange the steps from the list below to satisfy the stated requirements. Each step should be used once. (Select and order FOUR.)
<ul data-local-id=”c5e6d08b-ff09-4d56-8f46-fe08dcec93cd” data-indent-level=”1″>
A. Authorize the administrator account to access and manage member account roles for security data aggregation.
B. Turn on GuardDuty and Security Hub in each member account and configure IAM trust permissions to allow management by the administrator account.
C. Assign the security account as the central administrator for Security Hub.
D. Activate AWS Security Hub within the designated security account.
I added the letters for each provided step in order to better explain. The answer says the correct order is D, C, B, A. However, according to the AWS docs (https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-v2-enable.html), quote:
-
In Step 1, the AWS organization management account designates a delegated administrator for their AWS Organization, creates the delegated administrator policy, and optionally enables Security Hub for their own account.
-
In Step 2, the delegated administrator for the organization enables Security Hub for their own account.
-
In Step 3, the delegated administrator for the organization configures all member accounts in the organization, for Security Hub and other supported security services.
This means the answer’s provided logic and order is incorrect, since you do not need to enable Security Hub in the designated security account before designating a delegated admin. C designates the delegated admin as the security account for Security Hub, and D enables Security Hub for the delegated admin (the security account), so C must come before D in this process. Also, there is no mention of explicitly enabling GuardDuty in the security account, and I think that B fails the requirement of “automatically” if you are manually enabling GD and Security Hub in each member account.
Am I missing something or is this just a flawed question?
-
Hello WSus,
Thank you for bringing this to our attention.
We acknowledge that this question requires an update. Manual enablement is only required for standalone accounts or environments that are not integrated with AWS Organizations. Since standalone accounts cannot be part of AWS Organizations, they must rely on manual activation.
We will make the necessary updates, and the updated content should be reflected on the portal soon.
Please let us know if you need any further assistance.
Regards,
JR @ Tutorials Dojo-
Hi JR,
Thanks for your reply and confirmation, I appreciate it!
-
Hello WSus,
You’re welcome, and thank you again for raising this point.
If you notice anything else that could benefit from refinement, please don’t hesitate to share.
Best regards,
JR @ Tutorials Dojo
-
-
Log in to reply.