Learn how to set up AWS Config to track changes and send alerts when noncompliant security group changes are made to EC2 instances on AWS.
Table of Contents
Question
A company has set up its entire infrastructure on AWS. The company uses Amazon EC2 instances to host its ecommerce website and uses Amazon S3 to store static data. Three engineers at the company handle the cloud administration and development through one AWS account. Occasionally, an engineer alters an EC2 security group configuration of another engineer and causes noncompliance issues in the environment.
A solutions architect must set up a system that tracks changes that the engineers make. The system must send alerts when the engineers make noncompliant changes to the security settings for the EC2 instances.
What is the FASTEST way for the solutions architect to meet these requirements?
A. Set up AWS Organizations for the company. Apply SCPs to govern and track noncompliant security group changes that are made to the AWS account.
B. Enable AWS CloudTrail to capture the changes to EC2 security groups. Enable Amazon CloudWatch rules to provide alerts when noncompliant security settings are detected.
C. Enable SCPs on the AWS account to provide alerts when noncompliant security group changes are made to the environment.
D. Enable AWS Config on the EC2 security groups to track any noncompliant changes. Send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic.
Answer
D. Enable AWS Config on the EC2 security groups to track any noncompliant changes. Send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic.
Explanation
The fastest way for the solutions architect to meet these requirements is to enable AWS Config on the EC2 security groups to track any noncompliant changes and send the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic (Option D).
AWS Config is a fully managed service that enables you to assess, audit, and evaluate the configurations of your AWS resources. With AWS Config, you can record configuration changes and evaluate compliance over time. AWS Config allows you to create custom rules to evaluate the configuration of your resources and receive notifications when a resource is noncompliant.
Setting up AWS Organizations and Service Control Policies (SCPs) or enabling SCPs on the AWS account would not provide the fastest solution as it requires additional time to set up and configure. Additionally, SCPs are used to restrict or allow certain AWS services and actions, not to track changes or send alerts.
Enabling AWS CloudTrail and Amazon CloudWatch rules would require additional configuration and integration with other services to provide alerts, making it less efficient than using AWS Config.
Therefore, enabling AWS Config on the EC2 security groups to track any noncompliant changes and sending the changes as alerts through an Amazon Simple Notification Service (Amazon SNS) topic is the fastest way to meet the requirements.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.