A company has hundreds of AWS accounts in an organization in AWS Organizations.

The correct answer is C. The GuardDuty integration with Security Hub was never activated in the AWS account where the finding was generated.

The reason is that Security Hub does not automatically receive findings from GuardDuty unless the integration is activated in each AWS account.According to the AWS documentation1, “The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.” However, this integration is not enabled by default and requires manual activation in each AWS account.The documentation1also states that “You must activate the integration in each AWS account that you want to send findings from GuardDuty to Security Hub.”

Therefore, even though the company has configured the security tooling account as the delegated administrator for GuardDuty and Security Hub, and has enabled these services for existing and new AWS accounts, it still needs to activate the GuardDuty integration with Security Hub in each account. Otherwise, the findings from GuardDuty will not be sent to Security Hub and will not be visible in the delegated administrator account.

The other options are incorrect because:

A. VPC flow logs are not required for GuardDuty to generate DNS findings. GuardDuty uses VPC flow logs as one of the data sources for network connection findings, but not for DNS findings.According to the AWS documentation2, “GuardDuty uses VPC Flow Logs as a data source for network connection findings.”

B. The VPC DHCP option configured for a custom OpenDNS resolver does not affect GuardDuty’s ability to generate DNS findings. GuardDuty uses DNS logs as one of the data sources for DNS findings, regardless of the DNS resolver used by the VPC.According to the AWS documentation2, “GuardDuty uses DNS logs as a data source for DNS activity findings.”

D. Cross-Region aggregation in Security Hub is not relevant for this scenario, since the company operates out of a single AWS Region. Cross-Region aggregation in Security Hub allows you to aggregate security findings from multiple Regions into a single Region, where you can view and manage them. However, this feature is not needed if the company only uses one Region.According to the AWS documentation3, “Cross-Region aggregation enables you to aggregate security findings from multiple Regions into a single Region.”