Learn how to implement a centralized solution for monitoring resource metrics and receiving alerts across multiple AWS accounts using CloudFormation StackSets, CloudWatch Alarms, and SNS in a dedicated logging account.
Table of Contents
Question
A company uses AWS Organizations to manage its multi-account environment. The organization contains a dedicated account for security and a dedicated account for logging. A SysOps administrator needs to implement a centralized solution that provides alerts when a resource metric in any account crosses a standard defined threshold.
Which solution will meet these requirements?
A. Deploy an AWS CloudFormation stack set to the accounts in the organization. Use a template that creates the required Amazon CloudWatch alarms and references an Amazon Simple Notification Service (Amazon SNS) topic in the logging account with publish permissions for all the accounts.
B. Deploy an AWS CloudFormation stack in each account. Use the stack to deploy the required Amazon CloudWalch alarms and the required Amazon Simple Notification Service (Amazon SNS) topic.
C. Deploy an AWS Lambda function on a cron job in each account. Configure the Lambda function to read resources that are in the account and to invoke an Amazon Simple Notification Service (Amazon SNS) topic if any metrics cross the defined threshold.
D. Deploy an AWS CloudFormation change set to the organization. Use a template to create the required Amazon CloudWatch alarms and to send alerts to a verified Amazon Simple Email Service (Amazon SES) identity.
Answer
A. Deploy an AWS CloudFormation stack set to the accounts in the organization. Use a template that creates the required Amazon CloudWatch alarms and references an Amazon Simple Notification Service (Amazon SNS) topic in the logging account with publish permissions for all the accounts.
Explanation
- AWS CloudFormation StackSets allow you to create, update, or delete stacks across multiple accounts and regions with a single operation. This centralized approach aligns with the requirement of managing a multi-account environment using AWS Organizations.
- The CloudFormation template should create the required Amazon CloudWatch alarms for monitoring resource metrics across all accounts. These alarms can be configured to trigger when a specific metric crosses a defined threshold.
- The template should also reference an Amazon Simple Notification Service (Amazon SNS) topic in the dedicated logging account. This SNS topic will receive notifications from the CloudWatch alarms across all accounts.
- To allow the CloudWatch alarms in different accounts to publish to the centralized SNS topic in the logging account, publish permissions should be granted to all accounts in the organization.
By deploying this solution, the SysOps administrator can centrally manage and receive alerts for resource metric violations across all accounts in the organization through the dedicated logging account’s SNS topic.
The other options are incorrect because:
B. Deploying separate CloudFormation stacks in each account would be a decentralized and less efficient approach, making it difficult to manage and maintain across multiple accounts.
C. Using AWS Lambda functions on a cron job in each account would also be a decentralized approach, adding complexity and increasing the operational overhead.
D. Deploying a CloudFormation change set and sending alerts to Amazon SES would not meet the requirement of centralized alerting through the dedicated logging account.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.