AWS Certified Solutions Architect Professional SAP-C02 Practice Question
Your company's AWS environment consists of 15 AWS accounts that are organized with AWS Organizations. Workloads are deployed in seven commercial AWS Regions. A dedicated security account in the us-east-1 Region has been configured as the delegated administrator for AWS Security Hub. The security architects must give analysts a single place to search and investigate the complete set of Security Hub findings that originate from every account and Region-both now and as the company opts in to additional AWS Regions in the future. The solution must involve the least operational effort and must not require building or maintaining custom data-replication pipelines.
Which action will meet these requirements?
In each workload Region, create an Amazon EventBridge rule that forwards Security Hub findings to an Amazon SQS queue in us-east-1, then process the queue with a custom application.
Enable AWS Security Hub cross-Region finding aggregation in the delegated administrator account and choose the ALL_REGIONS linking mode so that findings from all current and future Regions are automatically replicated to us-east-1.
Enable Amazon Detective in us-east-1 and configure it to pull Security Hub findings from the other six Regions.
In the delegated administrator account, create an AWS Config configuration aggregator that sources from all accounts and Regions, and query the aggregator for Security Hub findings.
AWS Security Hub provides a managed cross-Region finding-aggregation feature. From the delegated administrator account's home Region (us-east-1), you can enable finding aggregation and set Region linking mode to ALL_REGIONS. Security Hub then automatically replicates findings, insights, control compliance statuses, and security scores from every linked Region to the home Region and continues to include any new Regions that are later enabled-without the need for custom pipelines or additional services.
An AWS Config aggregator can collect configuration data but does not natively aggregate Security Hub findings and would require additional logic to keep findings up to date. EventBridge rules plus SQS would achieve aggregation, but they introduce custom infrastructure and ongoing maintenance. Amazon Detective can visualize and investigate findings, but it cannot pull Security Hub findings across Regions on its own. Therefore, enabling Security Hub cross-Region finding aggregation with the ALL_REGIONS linking mode is the simplest, fully managed solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does AWS Security Hub's cross-Region finding-aggregation feature do?
Open an interactive chat with Bash
What is the purpose of the ALL_REGIONS linking mode in Security Hub?
Open an interactive chat with Bash
Why is a custom solution like EventBridge and SQS not recommended for cross-Region aggregation?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access