Q82 — AWS DOP-C02 Ch.1

Question 82 of 100 | ← Chapter 1

A company uses AWS CloudFormation to deploy its application environment. A recent update to the CloudFormation stack failed during deployment. A DevOps engineer discovered that some resources in the stack had been manually modified. A DevOps engineer needs a solution to detect manual modifications to resources and alert the DevOps manager. Which solution meets these requirements with minimal operational overhead?

Correct Answer: A. Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the DevOps manager’s email address to the SNS topic. Create an AWS Config managed rule with identifier CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK. Create an Amazon EventBridge rule that invokes on NON_COMPLIANT resource state. Set the SNS topic as the rule target.

Explanation

The AWS Config managed rule CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK automatically detects drift between actual CloudFormation stack resources and their expected template-defined state. When drift is detected, resource status becomes NON_COMPLIANT. Amazon EventBridge can natively capture AWS Config compliance events and trigger rules to deliver alerts to Amazon SNS topics without requiring custom code or complex configuration. This solution leverages fully managed services with zero development effort and lowest operational overhead. Option B introduces unnecessary custom rule development and Lambda logic; Option C monitors COMPLIANT state, which contradicts the requirement; Option D omits SNS and requires maintaining a Lambda function for email delivery, increasing complexity.