Learn the most efficient way to monitor Amazon Aurora MySQL databases for unknown user login attempts and send email alerts using Amazon GuardDuty and SNS.
Table of Contents
Question
A security engineer must Implement monitoring of a company’s Amazon Aurora MySQL DB instances. The company wants to receive email notifications when unknown users try to log in to the database endpoint.
Which solution will meet these requirements with the LEAST operational overhead?
A. Enable Amazon GuardDuty. Enable the Amazon RDS Protection feature in GuardDuty to detect login attempts by unknown users. Create an Amazon EventBridge rule to filter GuardDuty findings. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).
B. Enable the server_audit_logglng parameter on the Aurora MySQL DB instances. Use AWS Lambda to periodically scan the delivered log files for login attempts by unknown users. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).
C. Create an Amazon RDS Custom AMI. Include a third-party security agent in the AMI to detect login attempts by unknown users. Deploy RDS Custom DB instances. Migrate data from the existing installation to the RDS Custom DB instances. Configure email notifications from the third-party agent.
D. Write a stored procedure to detect login attempts by unknown users. Schedule a recurring job inside the database engine. Configure Aurora MySQL to use Amazon Simple Notification Service (Amazon SNS) to send email notifications.
Answer
A. Enable Amazon GuardDuty. Enable the Amazon RDS Protection feature in GuardDuty to detect login attempts by unknown users. Create an Amazon EventBridge rule to filter GuardDuty findings. Send email notifications by using Amazon Simple Notification Service (Amazon SNS).
Explanation
Enabling Amazon GuardDuty with the RDS Protection feature is the solution that will meet the requirements with the least operational overhead. Here’s why:
- GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior.
- The RDS Protection feature in GuardDuty uses machine learning to detect suspicious login attempts to Aurora MySQL databases, including logins by unknown users.
- Creating an EventBridge rule allows you to filter the GuardDuty findings to only those related to unknown user login attempts on the Aurora MySQL instances.
- EventBridge can then trigger Amazon SNS to send email notifications whenever unknown user logins are detected.
This solution requires minimal setup and is fully managed by AWS, resulting in the least ongoing operational overhead for the security team.
The other options have downsides:
- Option B requires deploying and managing a Lambda function to periodically scan log files. This is more complex to set up and maintain compared to the GuardDuty solution.
- Option C requires building a custom AMI with a 3rd party agent and migrating to RDS Custom. This involves substantially more effort and overhead than leveraging the native GuardDuty capabilities.
- Option D relies on scheduling a job inside the database to detect unknown logins. This is more cumbersome than using GuardDuty’s built-in machine learning.
So in summary, enabling Amazon GuardDuty with RDS Protection, filtering findings with EventBridge, and sending alerts via SNS provides a robust, automated solution for detecting unknown user logins on Aurora MySQL with minimal operational overhead.
Amazon AWS Certified Security – Specialty SCS-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty SCS-C02 exam and earn Amazon AWS Certified Security – Specialty SCS-C02 certification.