Question #1752
An ecommerce company runs applications in AWS accounts that are part of an organization in AWS Organizations. The applications run on Amazon Aurora PostgreSQL databases across all the accounts. The company needs to detect suspicious SQL queries that may indicate data exfiltration attempts and must identify these activities in the MOST operationally efficient way.
Which solution will meet these requirements?
Attach service control policies (SCPs) to the root of the organization to block specific SQL query patterns.
Enable the Amazon RDS Protection feature in Amazon GuardDuty for the member accounts of the organization.
Publish the Aurora general logs to a log group in Amazon CloudWatch Logs. Export the log data to a central Amazon S3 bucket and analyze it using Amazon Athena.
Configure AWS CloudTrail to monitor all database API calls and export the logs to a central Amazon S3 bucket.
Explanation
Answer B is correct because Amazon GuardDuty's RDS Protection feature automatically monitors and analyzes SQL queries in Aurora PostgreSQL databases for suspicious patterns (e.g., data exfiltration). It requires no manual log collection, storage, or analysis, making it the most operationally efficient option. GuardDuty can be enabled centrally across all AWS Organization accounts, ensuring consistent monitoring.
Incorrect options:
- A: SCPs cannot inspect SQL query content; they only enforce permissions at the API level.
- C: While logging and analyzing via CloudWatch/S3/Athena works, it requires significant manual setup and maintenance.
- D: CloudTrail tracks management API calls (e.g., database instance creation), not actual SQL queries.
Key Points:
1. GuardDuty RDS Protection is purpose-built for SQL threat detection.
2. Managed services minimize operational effort.
3. AWS Organizations integration simplifies multi-account deployment.
Answer
The correct answer is: B