Table of Contents
How Does AWS Config Support a Cloud Governance Framework?
Learn how AWS Config provides a detailed view of resource configurations to support your governance framework. Understand its core function in recording changes and automatically evaluating compliance against defined rules for security and operational excellence.
Question
Which service supports an effective governance framework by recording and evaluating configurations of AWS offerings?
A. Amazon CloudWatch
B. AWS Config
C. AWS Control Tower
D. AWS CodeBuild
Answer
B. AWS Config
Explanation
AWS Config is the specific service designed to meet the requirements of recording and evaluating resource configurations. It functions as a foundational pillar for governance, compliance, and auditing in AWS. Its two primary capabilities directly address the question:
Recording: AWS Config continuously monitors and records the configuration states of your AWS resources and any changes made to them over time. It provides a detailed configuration history for each resource, answering questions about what a resource looked like at any point in the past.
Evaluating: Using AWS Config Rules, you can automatically evaluate these recorded configurations against your internal policies and best practices. AWS provides a set of managed rules, and you can create custom rules to define your desired configuration settings. When a resource becomes non-compliant, AWS Config can flag it and trigger remediation actions via AWS Systems Manager or notifications through Amazon SNS.
Incorrect Options
A. Amazon CloudWatch: This service is focused on monitoring operational and performance data, such as metrics, logs, and events. It tells you how your resources are performing, not what their configuration state is or if they are compliant with governance rules.
C. AWS Control Tower: This is a higher-level orchestration service that sets up and governs a secure, multi-account AWS environment. While it establishes a governance framework, it does so by deploying and managing underlying services, including AWS Config. Control Tower uses AWS Config as the mechanism for implementing many of its detective guardrails, but AWS Config is the service that performs the actual recording and evaluation.
D. AWS CodeBuild: This is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages. It is part of the developer tool suite and is not involved in monitoring infrastructure resource configurations.
AWS Security Governance at Scale certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the AWS Security Governance at Scale exam and earn AWS Security Governance at Scale certificate.