Learn the simplest solution to automatically generate a ServiceNow incident whenever security group rules are modified in your AWS account. Implement secure monitoring with minimal effort.
Table of Contents
Question
A company that uses ServiceNow has an AWS account where a sensitive workload runs. The necessary security groups are in place. The company needs to implement a solution to create an incident in ServiceNow every time the rules change in any security group.
Which solution will meet this requirement with the LEAST operational effort?
A. Create an Amazon CloudWatch alarm that enters ALARM state when security groups change. Configure the alarm to invoke an AWS Lambda function that connects to ServiceNow to create an incident.
B. Enable AWS Security Hub. Create an AWS Lambda function that connects to ServiceNow to create an incident. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as Security Hub Findings – Custom Action. Configure the EventBridge rule to invoke the Lambda function.
C. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.
D. Launch an Amazon EC2 instance that has a persistent connection to ServiceNow to detect security group changes. Export AWS CloudTrail logs to the EC2 instance. Write a bash script to run a scheduled cron job every 30 minutes to search the CloudTrail logs for security groups changes. Configure the EC2 instance to create an incident in ServiceNow when a change is detected.
Answer
C. Create an Amazon EventBridge rule to detect security group changes. Configure the event type as AWS API Call via CloudTrail. Configure the EventBridge rule to run the AWS-CreateServiceNowIncidentAWS Systems Manager Automation runbook to create an incident in ServiceNow.
Explanation
Here’s why this is the best solution that requires the least operational effort:
- EventBridge allows you to create rules that detect and react to changes in your AWS resources, including security groups. You can set up a rule to monitor for specific API calls related to modifying security groups via CloudTrail.
- Systems Manager Automation provides pre-built runbooks for common tasks. The AWS-CreateServiceNowIncident runbook is specifically designed to create an incident in ServiceNow.
- By configuring the EventBridge rule to trigger this Automation runbook, you can automatically generate a ServiceNow incident with the relevant details whenever a security group is changed.
- This approach leverages native AWS capabilities and does not require deploying any custom code via Lambda functions or running additional EC2 instances. The EventBridge rule and Automation runbook handle the integration between AWS and ServiceNow.
The other options involve more complex custom implementations:
- Option A requires creating a custom Lambda function to integrate with ServiceNow
- Option B uses Security Hub and a custom Lambda function which is unnecessary
- Option D requires running an EC2 instance and custom scripts to parse exported CloudTrail logs, which is inefficient
Therefore, option C provides the simplest and most operationally efficient solution by making use of native EventBridge and Systems Manager capabilities to create ServiceNow incidents in response to security group changes.
Amazon AWS Certified SysOps Administrator – Associate certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.